Trusted I/O (TIO) is an appealing solution to improve I/O performance for confidential VMs (CVMs), with the potential to eliminate broad sources of I/O overhead. However, this paper emphasizes that not all types of I/O can derive substantial benefits from TIO, particularly network I/O. Given the obligatory use of encryption protocols for network traffic in CVM's threat model, TIO's approach of I/O encryption over the PCIe bus becomes redundant. Furthermore, TIO solutions need to expand the Trusted Computing Base (TCB) to include TIO devices and are commercially unavailable. Motivated by these insights, the goal of this paper is to propose a software solution that helps CVMs immediately benefit from high-performance networks, while confining trust only to the on-chip CVM. We present FOLIO, a software solution crafted from a secure and efficient Data Plane Development Kit (DPDK) extension compatible with the latest version of AMD Secure Encrypted Virtualization (SEV), a.k.a., Secure Nested Paging (SNP). Our design is informed by a thorough analysis of all possible factors that impact SNP VM's network performance. By extensively removing overhead sources, we arrive at a design that approaches the efficiency of an optimal TIO-based configuration. Evaluation shows that FOLIO has a performance dip less than 6% relative to the optimal TIO configuration, while only relying on off-the-shelf CPUs.

翻译：可信I/O（TIO）是提升机密虚拟机（CVM）I/O性能的可行方案，有望消除多种I/O开销来源。然而，本文强调并非所有类型的I/O都能从TIO中显著受益，尤其是网络I/O。鉴于CVM威胁模型中网络流量必须使用加密协议，TIO在PCIe总线上进行I/O加密的方法显得冗余。此外，TIO方案需要将可信计算基（TCB）扩展至包含TIO设备，且目前尚无商用产品。基于这些认识，本文旨在提出一种软件方案，使CVM能够立即受益于高性能网络，同时仅将信任局限在片上CVM内。我们提出FOLIO，这是一种基于安全高效数据平面开发套件（DPDK）扩展的软件方案，兼容最新版AMD安全加密虚拟化（SEV）即安全嵌套分页（SNP）。设计思路源于对影响SNP虚拟机网络性能所有可能因素的全面分析。通过广泛消除开销来源，我们最终实现了接近最优TIO配置效率的设计。评估表明，相较于最优TIO配置，FOLIO性能下降不足6%，且仅依赖商用CPU。