Trusted execution environments in several existing and upcoming CPUs demonstrate the success of confidential computing, with the caveat that tenants cannot use accelerators such as GPUs and FPGAs. If the accelerators have TEE support, the user-code executing on the CPU in a confidential VM has to rely on software-based encryption to facilitate communication between VMs and accelerators. Even after hardware changes to enable TEEs on both sides and software changes to adopt existing code to leverage these features, it results in redundant data copies and hardware encryption at the bus-level and on the accelerator thus degrading the performance and defeating the purpose of using accelerators. In this paper, we reconsider the Arm Confidential Computing Architecture (CCA) design-an upcoming TEE feature in Arm v9-to address this gap. We observe that CCA offers the right abstraction and mechanisms to allow confidential VM to use accelerators as a first class abstraction, while relying on the hardware-based memory protection to preserve security. We build Acai, a CCA-based solution, to demonstrate the feasibility of our approach without changes to hardware or software on the CPU and the accelerator. Our experimental results on GPU and FPGA show that Acai can achieve strong security guarantees with low performance overheads.

翻译：现有及多款即将推出的CPU中的可信执行环境展示了机密计算的成功，但存在一个局限：租户无法使用GPU和FPGA等加速器。即便加速器支持TEE，在机密虚拟机中执行的用户代码仍需依赖基于软件的加密来实现虚拟机与加速器之间的通信。即使从硬件层面支持双方TEE、并修改软件以利用这些特性，仍会导致冗余数据复制、总线级及加速器端的硬件加密，从而降低性能、违背使用加速器的初衷。本文重新审视了Arm机密计算架构（CCA）设计（Arm v9即将推出的TEE特性）以解决这一不足。我们发现，CCA提供了恰当的抽象和机制，允许机密虚拟机将加速器作为一等抽象直接使用，同时依靠基于硬件的内存保护来保障安全。我们构建了基于CCA的Acai方案，在不修改CPU和加速器硬件及软件的前提下验证了可行性。在GPU和FPGA上的实验结果表明，Acai能以较低性能开销实现强安全保证。