Building Confidential Accelerator Computing Environment for Arm CCA

Confidential computing is an emerging technique that provides users and third-party developers with an isolated and transparent execution environment. To support this technique, Arm introduced the Confidential Computing Architecture (CCA), which creates multiple isolated regions, known as realms, to ensure data confidentiality and integrity in security-sensitive tasks. However, hardware and firmware supporting confidential accelerator workloads remain unavailable. Moreover, due to incompatible hardware or large trusted computing base (TCB) size, existing studies for protecting acceleration are unsuitable for CCA's realm-style architecture. Thus, there is a need to complement existing Arm CCA capabilities with accelerator support. We present CAGE to support confidential accelerator computing for Arm CCA, ensuring data security with CCA's existing security features. To adapt the accelerator workflow to CCA's realm-style architecture, CAGE proposes a novel shadow task mechanism to manage confidential accelerator applications flexibly. Additionally, CAGE leverages the memory isolation mechanism in Arm CCA to protect data confidentiality and integrity from the strong adversary. CAGE also optimizes security operations in memory isolation to mitigate performance overhead. Without hardware changes, we design and implement CAGE on two types of accelerators: Unified-memory GPU and generic FPGA. Our evaluation shows that CAGE effectively provides confidential accelerator support for Arm CCA with moderate overhead.