Devlore: Extending Arm CCA to Integrated Devices A Journey Beyond Memory to Interrupt Isolation
METADATA ONLY
Loading...
Author / Producer
Date
2024-08-11
Publication Type
Working Paper
ETH Bibliography
yes
Citations
Altmetric
METADATA ONLY
Data
Rights / License
Abstract
Arm Confidential Computing Architecture (CCA) executes sensitive computation in an abstraction called realm VMs and protects it from the hypervisor, host OS, and other co-resident VMs. However, CCA does not allow integrated devices on the platform to access realm VMs and doing so requires intrusive changes to software and is simply not possible to achieve securely for some devices. In this paper, we present Devlore which allows realm VMs to directly access integrated peripherals. Devlore memory isolation re-purposes CCA hardware primitives (granule protection and stage-two page tables), while our interrupt isolation adapts a delegate-but-check strategy. Our choice of offloading interrupt management to the hypervisor but adding correctness checks in the trusted software allows Devlore to preserve compatibility and performance. We evaluate Devlore on Arm FVP to demonstrate 5 diverse peripherals attached to realm VMs.
Permanent link
Publication status
published
Editor
Book title
Journal / series
Volume
Pages / Article No.
2408.05835
Publisher
Cornell University
Event
Edition / version
v1
Methods
Software
Geographic location
Date collected
Date created
Subject
Cryptography and Security (cs.CR); FOS: Computer and information sciences
Organisational unit
09730 - Shinde, Shweta Shivaji / Shinde, Shweta Shivaji