Collaborative computation across organizations is often constrained by the need to process sensitive data and proprietary code without exposing them to untrusted infrastructure or participants. Cryptographic approaches such as fully homomorphic encryption and secure multi-party computation provide strong confidentiality but remain impractical for general workloads due to their extreme computational cost. We present the Two-Way Confidential Virtual Machine (2cVM), a two-layer architecture that pairs a hardware trusted execution environment with an intra-workload isolation layer. Unlike regular Confidential Virtual Machines, 2cVM enforces mutual isolation between co-resident workloads, ensuring that participants retain control over their data and code. All computation in 2cVM is governed by a Commitment Manifest that enumerates participants, component composition, permitted data channels, and authorized outputs; the manifest is locked to the VM and incorporated into attestation evidence, making the policy immutable and independently verifiable throughout the VM's lifetime. A proof-of-concept realization combines AMD SEV-SNP for hardware protection with the WebAssembly Component Model for fine-grained sandboxing of participant code. Evaluation on commodity hardware across four benchmark classes shows that the two isolation layers do not accumulate linearly: once a workload executes inside the WebAssembly sandbox, the marginal cost of enabling hardware memory protection is small. Overhead is workload-dependent, governed primarily by memory access pattern, ranging from negligible for sequential workloads to approximately 2x for irregular, pointer-chasing access patterns. These results indicate that 2cVM provides a practical and verifiable foundation for privacy-preserving collaborative computation.

翻译：跨组织的协作计算常受限于需在不暴露敏感数据和专有代码的前提下处理它们，且这些数据与代码不得被不可信的基础设施或参与者获取。全同态加密和安全多方计算等密码学方法虽能提供强机密性，但因极端计算开销而对通用工作负载仍不切实际。我们提出双向机密虚拟机（2cVM）这一双层架构，其将硬件可信执行环境与工作负载内隔离层相结合。与常规机密虚拟机不同，2cVM在共存工作负载间强制执行相互隔离，确保参与者对其数据和代码保有控制权。2cVM中的所有计算均由一个承诺清单管控，该清单列举参与者、组件构成、允许的数据通道及授权输出；清单锁定于虚拟机并纳入认证证据，使其在整个虚拟机生命周期中不可变且可独立验证。概念验证实现结合了用于硬件保护的AMD SEV-SNP与用于参与者代码细粒度沙箱化的WebAssembly组件模型。在商用硬件上对四类基准测试的评估显示，两个隔离层不会线性累积：一旦工作负载在WebAssembly沙箱内执行，启用硬件内存保护的边际成本较小。开销依赖于工作负载，主要受内存访问模式影响，范围从顺序型工作负载的可忽略不计到不规则指针追踪访问模式的大约2倍。这些结果表明，2cVM为隐私保护协作计算提供了实用且可验证的基础。