[piccirello]

> The Secure Enclave randomizes the data volume’s encryption keys on every reboot and does not persist these random keys, ensuring that data written to the data volume cannot be retained across reboot. In other words, there is an enforceable guarantee that the data volume is cryptographically erased every time the PCC node’s Secure Enclave Processor reboots.

[Timber-6539]

Feels like an uptime screenshot would be appropriate here

[transpute]

PCC node execution should be per-transaction, i.e. relatively short lived.

[wmf]

The server can't afford to do one transaction then reboot.

[transpute]

Intel and AMD server processors can use DRTM late launch for fast attested restart, https://www.semanticscholar.org/paper/An-Execution-Infrastru.... If future Apple Silicon processors can support late launch, then PCC nodes can reduce intermingling of data from multiple customer transactions.

> The server can't afford

What reboot frequency is affordable for PCC nodes?