Trusted execution environments in several existing and upcoming CPUs demonstrate the success of confidential computing, with the caveat that tenants cannot securely use accelerators such as GPUs and FPGAs. In this paper, we reconsider the Arm Confidential Computing Architecture (CCA) design, an upcoming TEE feature in Armv9-A, to address this gap. We observe that CCA offers the right abstraction and mechanisms to allow confidential VMs to use accelerators as a first-class abstraction. We build ACAI, a CCA-based solution, with a principled approach of extending CCA security invariants to device-side access to address several critical security gaps. Our experimental results on GPU and FPGA demonstrate the feasibility of ACAI while maintaining security guarantees.

翻译：现有及即将推出的多款CPU中的可信执行环境展示了机密计算的成功，但其局限在于租户无法安全使用GPU和FPGA等加速器。本文重新审视了Arm机密计算架构（CCA）的设计——Armv9-A即将推出的TEE特性——以填补这一空白。我们观察到CCA提供了恰当的抽象与机制，使机密虚拟机能够将加速器作为一等抽象使用。我们构建了基于CCA的ACAI方案，采用原则性方法将CCA安全不变性扩展到设备侧访问，从而解决多个关键安全缺口。在GPU和FPGA上的实验结果表明，ACAI在维持安全保障的同时具备可行性。