Integrity is critical for maintaining system security, as it ensures that only genuine software is loaded onto a machine. Although confidential virtual machines (CVMs) function within isolated environments separate from the host, it is important to recognize that users still encounter challenges in maintaining control over the integrity of the code running within the trusted execution environments (TEEs). The presence of a sophisticated operating system (OS) raises the possibility of dynamically creating and executing any code, making user applications within TEEs vulnerable to interference or tampering if the guest OS is compromised. This paper introduces NestedSGX, which leverages virtual machine privilege level (VMPL), a recent hardware feature available on AMD SEV-SNP to enable the creation of hardware enclaves within the guest VM. Similar to Intel SGX, NestedSGX considers the guest OS untrusted for loading potentially malicious code. It ensures that only trusted and measured code executed within the enclave can be remotely attested. To seamlessly protect existing applications, NestedSGX aims for compatibility with Intel SGX by simulating SGX leaf functions. We have also ported the SGX SDK to NestedSGX, enabling the use of existing SGX toolchains and applications in the system. Performance evaluations show that context switches in NestedSGX take about 35,000-37,000 cycles, approximately 2-3 times that of Intel SGX. NestedSGX incurs minimal overhead in most real-world applications, with an average overhead below 5% for most workloads and 22.7% for I/O intensive workloads.

翻译：完整性对维护系统安全至关重要，因为它确保只有真正的软件被加载到机器上。尽管机密虚拟机（CVM）在与宿主机隔离的环境中运行，但用户仍面临维护对可信执行环境（TEE）内运行代码完整性控制权的挑战。复杂操作系统（OS）的存在使得动态创建和执行任意代码成为可能，若客户操作系统被攻破，TEE内的用户应用易受干扰或篡改。本文介绍NestedSGX，它利用虚拟机特权级（VMPL）这一AMD SEV-SNP上的最新硬件特性，在客户虚拟机内创建硬件飞地。类似于Intel SGX，NestedSGX将客户操作系统视为不可信，因其可能加载恶意代码。它确保仅在飞地内执行的可信且经过度量的代码能够被远程证明。为实现对现有应用的无缝保护，NestedSGX通过模拟SGX叶函数来兼容Intel SGX。我们还将SGX SDK移植至NestedSGX，使得系统能够使用现有的SGX工具链和应用。性能评估显示，NestedSGX中的上下文切换耗时约35000至37000个周期，约为Intel SGX的2至3倍。对于大多数实际应用，NestedSGX引入的开销极小：多数工作负载的平均开销低于5%，而I/O密集型工作负载的开销为22.7%。