Runs outside the chip boundary
Requests services via protocols
Handles application logic
Security Boundary
Strict interface contracts
Inside the chip, minimal TCB
Security-critical logic
Secrets remain protected
Separation simplifies threat modeling — only attested results are exposed to the host.