Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA

This paper presents CAEC, a system built on Arm Confidential Compute Architecture that introduces Confidential Shared Memory to enable secure, high-performance, and attestable direct data sharing between Confidential Virtual Machines while remaining inaccessible to the hypervisor.

The Gist

Imagine you are running a high-security bank vault. Inside this vault, you have several different departments: one handles customer data, another manages investments, and a third processes loans. In the current world of "Confidential Virtual Machines" (CVMs), these departments are like glass-walled rooms.

Here's the problem: The glass walls are so thick and secure that no one can see or talk to anyone else without going through the Bank Manager (the Hypervisor).

The Current Problem: The "Glass Wall" Bottleneck

In today's secure computing systems (like Arm CCA), each department (CVM) has its own private, locked room.

• The Good News: The Bank Manager (who controls the building) cannot peek inside. Even if the Manager is evil or hacked, the data inside remains safe.
• The Bad News: If the Investment team wants to share a spreadsheet with the Loan team, they can't just walk over and hand it to them. They have to:
  1. Walk out of their room.
  2. Give the paper to the Bank Manager.
  3. The Manager puts the paper in a heavy, locked safe (encryption) so no one steals it.
  4. The Manager walks it to the Loan team.
  5. The Loan team unlocks the safe to read it.

This process is incredibly slow and wastes a lot of energy (CPU cycles). It's like sending a letter via a courier who has to stop at a post office, lock it in a box, drive it across town, and then unlock it again just to deliver it.

The Solution: CAEC (The "Secret Tunnel")

The authors of this paper, Sina, Amir, David, Marios, and Hamed, built a system called CAEC.

Think of CAEC as digging a secret, reinforced tunnel directly between the Investment room and the Loan room.

• The Tunnel is Invisible: The Bank Manager doesn't know the tunnel exists. They can't see inside it, and they can't touch the data flowing through it.
• No Locks Needed: Because the tunnel is physically separated from the Manager's control, the Investment team can just hand the paper directly to the Loan team. No heavy safes, no encryption, no delays.
• Strict Rules: You can't just dig a tunnel to anyone. You need a special key (called Attestation) that proves the other team is who they say they are and is running the right software. Once verified, the tunnel opens.

How It Works (The Metaphor)

1. The Setup: The system uses a new type of "blueprint" (Arm CCA) that allows for these secret tunnels.
2. The Agreement: The Investment team (Provider) says, "I want to share this data." The Loan team (Consumer) says, "I agree to receive it."
3. The Verification: A trusted notary (the RMM firmware) checks their IDs. "Yes, you are both legitimate. You can share."
4. The Connection: The system creates a shared space (Confidential Shared Memory) that both rooms can see, but the Bank Manager cannot.
5. The Result: Data flows instantly.

Why This Matters (The Real-World Impact)

The paper tested this with some heavy tasks, like running Large Language Models (LLMs) (the brains behind AI chatbots).

• Speed: When two AI models needed to talk to each other, the old way (going through the Manager with locks) was 209 times slower than the new CAEC way. That's the difference between waiting an hour for a coffee and getting it instantly.
• Memory Savings: Imagine two departments both needing a giant encyclopedia (a 10GB AI model).
  • Old Way: Each department buys their own copy. You need 20GB of memory.
  • CAEC Way: They share one copy through the secret tunnel. You only need 10GB.
  • Result: The system saved up to 28% of its memory, which is huge for saving money on servers and making devices (like phones) run cooler and longer.

The Bottom Line

CAEC is like upgrading a building from having only glass walls (where you need a manager to pass messages) to having secure, private hallways between rooms.

It keeps the data safe from the building manager and hackers, but it lets the people inside work together as if they were in the same room. This makes secure computing faster, cheaper, and ready for the next generation of AI and collaborative apps.

In short: CAEC lets secure computers talk to each other directly, without the slow, expensive middleman, while keeping the secrets safe.

Technical Summary

1. Problem Statement

Confidential Virtual Machines (CVMs) are designed to protect sensitive workloads from privileged adversaries, such as the hypervisor, by providing strong isolation guarantees. However, existing CVM architectures (including Arm CCA, AMD SEV-SNP, and Intel TDX) rely on a disjoint memory model. In this model:

• Each CVM owns protected memory isolated from the hypervisor and other CVMs.
• CVMs cannot create memory regions shared only between themselves that are invisible to the hypervisor.
• The Bottleneck: To exchange data, CVMs must route communication through hypervisor-accessible memory (e.g., virtual sockets or shared memory). This forces the use of expensive encryption and decryption for every data transfer to maintain confidentiality and integrity.
• Inefficiency: This design prevents memory deduplication (e.g., sharing large ML model weights across CVMs) and creates significant CPU overhead, which is particularly detrimental for emerging workloads like compartmentalized AI agents and collaborative machine learning.

2. Methodology: CAEC System Design

The authors introduce CAEC (Confidential, Attestable, and Efficient Inter-CVM Communication), a system built on Arm Confidential Compute Architecture (CCA) that enables Confidential Shared Memory (CSM). CSM is a memory region securely shared between multiple CVMs while remaining inaccessible to the hypervisor and non-participating CVMs.

Key Architectural Components

• Firmware Extension (RMM): CAEC extends the Realm Management Monitor (RMM), the trusted firmware component in Arm CCA. It does not require hardware modifications.
• Ownership Model:
  • Provider Realm (P-realm): The creator and manager of the CSM region. It contributes memory, defines access permissions (read-only/read-write), and grants access to others.
  • Consumer Realm (C-realm): A realm that joins an existing CSM region to access the shared data.
• Access Policy Table (APT): A new metadata structure managed by the RMM for each realm. It tracks CSM regions, mapping base addresses, sizes, and access permissions. It ensures that access control is enforced at the firmware level.
• Attestation-Integrated Identifiers: To prevent impersonation, CAEC introduces a unique, system-wide Realm Identifier. This identifier is:
  • Assigned by the RMM upon realm creation.
  • Included as a claim in the attestation token (cryptographically bound to the realm's software configuration).
  • Verified by realm owners before establishing CSM links, ensuring that only attested, trusted peers can share memory.
• Lifecycle Management:
  1. Creation: P-realm requests CSM creation via RSI commands; RMM validates and notifies the hypervisor to populate physical memory.
  2. Sharing: P-realm initiates sharing with a specific C-realm ID. C-realm reserves a matching address space.
  3. Attachment: RMM validates mutual agreement and updates the Realm Translation Tables (RTTs) to map the same physical granules into both realms' address spaces with appropriate permissions.
  4. Revocation: P-realm can revoke access, causing the RMM to unmap the region from the C-realm's RTT and flush TLBs.

3. Key Contributions

1. First CSM Implementation for CVMs: CAEC is the first system to support dynamic, writable, confidential shared memory between multiple CVMs without hardware changes.
2. Principled Security Model: It introduces a strict ownership model and access control rules that prevent unauthorized access, ensuring CSM remains invisible to the hypervisor and non-participating realms.
3. Minimal Overhead: The implementation adds only 1,062 lines of code to the RMM (a 4% increase in firmware size), demonstrating high compatibility with existing CCA stacks.
4. Scalability: Unlike previous enclave sharing solutions (e.g., Elasticlave) limited by hardware registers, CAEC supports an unbounded number of shared regions per CVM and system-wide.

4. Evaluation Results

The authors evaluated CAEC using Arm's Fixed Virtual Platform (FVP) for functional correctness and the OPENCCA prototype on Radxa Rock 5B hardware for performance.

• Communication Performance:
  • CAEC achieves up to 209× reduction in CPU cycles compared to encryption-based communication over hypervisor-accessible shared memory.
  • Latency is reduced by 24×–212× and throughput increased by 26×–204× compared to OpenSSL-based encryption.
  • Performance is equivalent to plaintext communication over normal world memory, proving that the overhead is eliminated entirely by removing the need for crypto.
• Memory Efficiency (LLM Sharing):
  • In scenarios sharing Large Language Models (LLMs) between realms, CAEC reduces the total system memory footprint by 16.6% to 28.3%, depending on model size and the number of participating realms.
• Runtime Overhead:
  • Running an inference model from CSM incurs zero additional latency compared to running it from private realm memory.

5. Significance and Future Impact

• Enabling Collaborative Confidential Computing: CAEC solves the fundamental barrier preventing efficient collaboration between isolated CVMs. This is critical for multi-party AI, where different organizations or compartments need to share models or data without trusting the hypervisor or exposing data to each other.
• Edge and Cloud Scalability: By enabling memory deduplication and reducing CPU overhead, CAEC makes confidential computing viable for memory-constrained edge devices and cost-sensitive cloud environments.
• Future-Proof Design: The authors demonstrate that CAEC is compatible with future Arm CCA extensions (e.g., Planes, Memory Encryption Contexts) and discuss how similar concepts could be adapted (with varying difficulty) to AMD SEV-SNP and Intel TDX.
• Open Source: The authors commit to open-sourcing the code upon acceptance, fostering further research in trusted inter-domain communication.

In conclusion, CAEC represents a paradigm shift in confidential computing, moving from strictly isolated "silos" to a model where trusted, attested entities can share resources efficiently and securely, unlocking new possibilities for collaborative and compartmentalized secure systems.