Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA

TL;DR

CAEC addresses the efficiency bottleneck of inter-CVM data sharing caused by the disjoint memory model in confidential virtual machines. By extending Arm CCA with Confidential Shared Memory (CSM) managed through the Realm Management Monitor and attestation-integrated realm identifiers, CAEC enables plaintext memory sharing between mutually attested CVMs without cryptographic overhead. It achieves up to 209x reductions in CPU cycles for inter-CVM communication and 16.6%-28.3% reductions in total memory footprint for large data like LLM weights, while adding only ~4% to the CCA firmware. The work demonstrates practical, scalable cross-CVM collaboration for edge and cloud workloads, and outlines a path for extending CSM to other architectures and future Arm CCA extensions.

Abstract

Confidential Virtual Machines (CVMs) are increasingly adopted to protect sensitive workloads from privileged adversaries such as the hypervisor. While they provide strong isolation guarantees, existing CVM architectures lack first-class mechanisms for inter-CVM data sharing due to their disjoint memory model, making inter-CVM data exchange a performance bottleneck in compartmentalized or collaborative multi-CVM systems. Under this model, a CVM's accessible memory is either shared with the hypervisor or protected from both the hypervisor and all other CVMs. This design simplifies reasoning about memory ownership; however, it fundamentally precludes plaintext data sharing between CVMs because all inter-CVM communication must pass through hypervisor-accessible memory, requiring costly encryption and decryption to preserve confidentiality and integrity. In this paper, we introduce CAEC, a system that enables protected memory sharing between CVMs. CAEC builds on Arm Confidential Compute Architecture (CCA) and extends its firmware to support Confidential Shared Memory (CSM), a memory region securely shared between multiple CVMs while remaining inaccessible to the hypervisor and all non-participating CVMs. CAEC's design is fully compatible with CCA hardware and introduces only a modest increase (4%) in CCA firmware code size. CAEC delivers substantial performance benefits across a range of workloads. For instance, inter-CVM communication over CAEC achieves up to 209$\times$ reduction in CPU cycles compared to encryption-based mechanisms over hypervisor-accessible shared memory. By combining high performance, strong isolation guarantees, and attestable sharing semantics, CAEC provides a practical and scalable foundation for the next generation of trusted multi-CVM services across both edge and cloud environments.

Figures (5)

• Figure 1: Communication modes between two CVMs. (a) Communication through virtualization services, where data must be encrypted and passed via the hypervisor-mediated service. (b) Communication using shared memory provided by the hypervisor, still requiring encryption as the shared memory is accessible to the hypervisor. (c) CAEC, which enables CSM between CVMs. There is no need for encryption as CAEC protects the CSM from hypervisor and other CVMs. Cyan: memory regions accessible to the first CVM, Green: memory regions accessible to the second CVM, Purple: memory regions accessible to the hypervisor.
• Figure 2: Arm CCA 1.0 software architecture. The hypervisor allocates resources (e.g., memory and CPU) for realm VM but cannot access those resources, as the realm VM is running on the other side of the isolation boundaries.
• Figure 3: CAEC System Model
• Figure 4: Overview of CAEC.
• Figure 5: Communication cost between two realms across four modes: plaintext over NW shared memory, encrypted (OpenSSL/MbedTLS) with confidentiality and integrity, and CAEC.