ACE: Confidential Computing for Embedded RISC-V Systems
Wojciech Ozga, Guerney D. H. Hunt, Michael V. Le, Lennard Gäher, Avraham Shinnar, Elaine R. Palmer, Hani Jamjoom, Silvio Dragone
TL;DR
ACE addresses the challenge of safely running safety- and security-critical embedded software by introducing a VM-based confidential computing framework for embedded RISC-V systems. It blends a lightweight, verifiable architecture (TSM, hypervisor, TVMs) with a verification-friendly design methodology, modular Rust-based implementations, and formal proofs via RefinedRust and Rocq. The authors demonstrate a working ACE prototype on the first virtualization-capable RISC-V hardware, show that memory safety and isolation can be established with a small trusted base, and quantify overheads in boot, I/O, and multi-VM workloads, finding practicality for embedded use cases. The work facilitates higher assurance in regulated environments by providing open-source tooling, local attestation, and a scalable verification workflow that can be extended to other embedded systems requiring formal verification.
Abstract
Confidential computing plays an important role in isolating sensitive applications from the vast amount of untrusted code commonly found in the modern cloud. We argue that it can also be leveraged to build safer and more secure mission-critical embedded systems. In this paper, we introduce the Assured Confidential Execution (ACE), an open-source and royalty-free confidential computing technology targeted for embedded RISC-V systems. We present a set of principles and a methodology that we used to build \ACE and that might be applied for developing other embedded systems that require formal verification. An evaluation of our prototype on the first available RISC-V hardware supporting virtualization indicates that ACE is a viable candidate for our target systems.
