Workload and Model Lifecycle

The model provider builds the workload image through a controlled pipeline. The image contains the inference server, startup logic, model bootstrap, certificate handling, and health endpoints. It excludes unnecessary packages and disables interactive admin paths. Any break-glass path is approved separately.

The CC software provider and platform operator control the confidential guest, runtime policy, and Trustee/KBS configuration that make the pod measurable. Those artifacts are part of the trust boundary too. Changes to policy-relevant artifacts can change attestation evidence and therefore the key-release decision.

Model weights stay encrypted outside the confidential pod. They can ride inside the image as encrypted files, mount from encrypted storage, or fetch from an artifact service after boot. Model weights are readable only inside protected CPU/GPU memory. They are never exposed to the host as plaintext and may be written to encrypted in-guest storage only when policy allows.

Model artifacts never exist in host-readable form. Any temporary readable artifacts stay inside confidential guest temporary storage and are cleaned up at shutdown.

Lifecycle controls are listed in Appendix D.