Cocos AI — Confidential Computing Foundation

The open foundation
the stack runs on.

Cocos AI is the open-source hardware abstraction layer for Trusted Execution Environments — the transparent, auditable substrate beneath Cube and Prism. Inspect it, fork it, extend it.

View on GitHub Docs ↗
Apache 2.0 ·AMD SEV-SNP ·Intel TDX
cocos — remote attestation 
$ cocos attest --verify
# measuring the confidential VM…
platform     AMD SEV-SNP
measurement  0x9f3c…a17b
policy       debug=off · migrate=off
✓ attestation report verified
✓ workload sealed — host cannot read memory
✓ ready to load model
Open standards

The substrate the whole stack runs on.

Cocos AI is the open-source hardware abstraction layer for Trusted Execution Environments. It turns confidential-computing hardware into a clean, auditable foundation that Cube AI and Prism AI build on — and that anyone can inspect, fork, and extend.

Apache 2.0 ETF University of Belgrade Serbian Innovation Fund Horizon Europe
AMD SEV-SNP
Hardware memory encryption
Intel TDX
Confidential virtual machines
Remote attestation
Verifiable, provable trust
Apache 2.0
Open, auditable, forkable
Powers Cube AI and Prism AI
Why Cocos AI

Confidential by design,
not confidential by promise.

Conventional cloud AI asks you to trust the operator with your data in the clear. Cocos AI removes that trust assumption entirely — the hardware itself enforces and proves your isolation.

Traditional cloud AIConfidential by design
Data in use Decrypted in host memory — visible to the provider and hypervisor. Encrypted in use inside a hardware enclave, opaque to the host.
Trust model "Trust us" — policies, contracts, and good intentions. "Verify" — cryptographic remote attestation of what runs.
Who can see your data The provider, its subprocessors, and a foreign jurisdiction. Only you. Sealed by the CPU, even from the operator.
Transparency A closed, proprietary stack you cannot inspect. Open source, Apache 2.0 — audit every line yourself.
Portability Per-vendor lock-in and bespoke integrations. One HAL across AMD SEV-SNP and Intel TDX.
How it works

From bare hardware
to a sealed workload.

01

Provision a CVM

The Manager spins up a Confidential VM on AMD SEV-SNP or Intel TDX, with the workload's memory encrypted by the CPU from the first instruction.

02

Attest the enclave

Remote attestation measures the VM and verifies it against an expected value; attested TLS then binds a secure channel to that proof.

03

Load data & code

Algorithms and datasets travel over the attested channel and are decrypted only inside the enclave — never visible to the host or operator.

04

Run & return results

The in-enclave agent executes the workload and returns only the agreed output, with cryptographic proof of exactly what ran.

Capabilities

Everything TEE, abstracted.

Cocos AI provides the full confidential-computing lifecycle — from hardware provisioning to workload execution — in one open, auditable library.

AMD SEV-SNP support

Full hardware memory encryption for confidential VMs on AMD processors — weights and tensors stay opaque to the host.

Intel TDX support

Confidential VM execution on Intel processors with hardware-enforced isolation of workloads from the hypervisor.

Remote attestation

Generate and verify cryptographic attestation reports that prove the exact state and integrity of any running enclave.

Manager & agent

A Manager process orchestrates CVMs from outside while an in-enclave Agent handles execution inside, coordinating the full workload lifecycle.

Attested TLS (aTLS)

Level 2 session-bound aTLS channels that cryptographically tie a TLS session to the enclave's attestation, preventing relay attacks.

Algorithm & dataset sealing

Algorithms and datasets are encrypted for the enclave, decrypted only inside — opaque to the host and transit network.

WASM runtime support

Run WebAssembly workloads inside a confidential enclave for language-agnostic, secure execution.

Event & log streaming

In-enclave event streaming and log management for operational visibility without breaking isolation.

Hardware-agnostic HAL

A single abstraction layer that runs the same workloads on AMD SEV-SNP and Intel TDX without TEE-specific code paths.

Consortium & backing

Backed by a consortium,
not a single vendor.

// Lead developer
Ultraviolet

Ultraviolet coordinates the project, builds the user experience, and leads the development and commercialization of the Cocos AI platform.

Visit Ultraviolet
// Research

ETF Belgrade

Original research partner and expertise provider for TEE and cryptographic protocols.

// EU Project

CONFIDENTIAL6G

Quantum-resistant cryptography and security frameworks for 6G confidential computing.

Visit project
// EU Project

ELASTIC

Next-gen network orchestration using WebAssembly and confidential computing for 6G.

Visit project
// EU Project

TITAN

Trusted AI & privacy-preserving technologies building secure AI systems via TEEs.

Visit project
// Funded by

Initiated with support from ETF University of Belgrade and funded by the Innovation Fund from the Republic of Serbia (Project ID 50314). Further developed through EU-funded projects: CONFIDENTIAL6G, TITAN, and ELASTIC.

ETF University of Belgrade Innovation Fund Republic of Serbia European Union
FAQ

Questions about
Cocos AI.

What is Cocos AI?

Cocos AI is an open-source hardware abstraction layer for Trusted Execution Environments (TEEs). It turns AMD SEV-SNP and Intel TDX confidential-computing hardware into a clean, auditable foundation for running private AI workloads.

How does Cocos AI relate to Cube AI and Prism AI?

Cocos AI is the confidential-computing substrate the other Ultraviolet products run on. Cube AI uses Cocos AI when hardware TEE isolation is required; Prism AI runs its multi-party computation inside Cocos AI CVMs for every workload.

What hardware does Cocos AI support?

Cocos AI supports AMD SEV-SNP and Intel TDX, and abstracts both behind a single API so workloads port across hardware without changes.

Is Cocos AI really open source?

Yes. The entire project is Apache 2.0 — inspect, fork, and extend it freely. No proprietary lock-in.

Who funds and governs Cocos AI?

Cocos AI was initiated with support from ETF University of Belgrade and the Serbian Innovation Fund, and has been developed through EU Horizon Europe projects: CONFIDENTIAL6G, TITAN, and ELASTIC. Ultraviolet is a member of the Linux Foundation and the Confidential Computing Consortium.

What is a Trusted Execution Environment?

A TEE is a hardware-isolated region of a CPU where code and data are protected by memory encryption enforced by the processor itself — not by software. The hypervisor, host OS, and cloud operator cannot read or tamper with what runs inside, even with physical access to the machine. AMD SEV-SNP and Intel TDX are the two dominant TEE technologies for confidential VMs.

What is remote attestation, and why does it matter?

Remote attestation is a process where the CPU generates a hardware-signed report describing exactly what code is loaded inside a TEE, including the firmware, kernel, and workload measurement. Any party — a data owner, a regulator, an auditor — can verify this report against expected values before releasing sensitive data into the enclave. It is the cryptographic guarantee that the right code is running unmodified.

What is attested TLS (aTLS)?

Attested TLS is a TLS extension where the TLS handshake is bound to an attestation report from the enclave. This means the remote party can verify not just that the connection is encrypted, but that the server on the other end is a legitimate, unmodified enclave — preventing relay and impersonation attacks that standard TLS cannot catch.

What workloads can I run on Cocos AI?

Cocos AI supports Python and Go workloads natively, and any language that compiles to WebAssembly via its WASM runtime. Common workloads include private model inference, federated learning, confidential data analytics, and multi-party computation. The in-enclave agent coordinates execution, so Cocos AI handles the full workload lifecycle — not just the isolation layer.

How do I get started?

The quickest path is to clone the repository on GitHub, follow the quickstart in the docs, and run a sample workload against a local AMD SEV-SNP or Intel TDX machine. If you don't have confidential hardware, the simulator mode lets you develop and test the full attestation flow on any Linux machine. The free tier of Prism AI also uses Cocos AI under the hood if you want a managed starting point.

One ecosystem

Part of the Ultraviolet
sovereign AI stack.

Three products, designed to work as one.

Sovereign AI Platform

Cube AI

Full-stack private LLM platform — inference, RAG, guardrails, governance, audit.

Explore Cube AI
Secure AI Collaboration

Prism AI

Run joint AI workloads across organizations without exposing any party's data.

Explore Prism AI
Confidential Computing Foundation

Cocos AI

The open-source TEE abstraction layer the rest of the stack is built on.

You are here
— Get started

The foundation is open.
Build on it.

Inspect the source, contribute to the project, or talk to the team about deploying Cocos AI as the foundation for your confidential workloads.

View on GitHub Read the docs
Apache 2.0 · AMD SEV-SNP · Intel TDX