ACAI: Extending Arm Confidential Computing Architecture Protection from CPUs to Accelerators. (arXiv:2305.15986v1 [cs.CR])

Trusted execution environments in several existing and upcoming CPUs
demonstrate the success of confidential computing, with the caveat that tenants
cannot use accelerators such as GPUs and FPGAs. If the accelerators have TEE
support, the user-code executing on the CPU in a confidential VM has to rely on
software-based encryption to facilitate communication between VMs and
accelerators. Even after hardware changes to enable TEEs on both sides and
software changes to adopt existing code to leverage these features, it results
in redundant data copies and hardware encryption at the bus-level and on the
accelerator thus degrading the performance and defeating the purpose of using
accelerators. In this paper, we reconsider the Arm Confidential Computing
Architecture (CCA) design-an upcoming TEE feature in Arm v9-to address this
gap. We observe that CCA offers the right abstraction and mechanisms to allow
confidential VM to use accelerators as a first class abstraction, while relying
on the hardware-based memory protection to preserve security. We build Acai, a
CCA-based solution, to demonstrate the feasibility of our approach without
changes to hardware or software on the CPU and the accelerator. Our
experimental results on GPU and FPGA show that Acai can achieve strong security
guarantees with low performance overheads.