Confidential virtual machines (CVMs), while providing strong data privacy for cloud tenants, pose significant challenges to VM maintenance like live migration and snapshotting. Traditional host-based maintenance, while applicable to conventional VMs, is infeasible for CVMs due to the lack of trust in the host and the prevention of mandated intrusive access from the host. State-of-the-art approaches depend on non-trivial modifications to hardware and firmware and thus lead to notable compromises in security and/or performance. Furthermore, such approaches lack flexibility for upgrades and cross-platform compatibility, hindering the popularity of CVMs on the cloud.
In this paper, we introduce Confidential Procedure Calls (CPCs), a flexible approach to the efficient and secure execution of CVM maintenance modules from within the guest. We have implemented prototypes on two leading CVM platforms. Our prototype on AMD SEV showcases the high performance of CPCs, with 3× (resource reclamation) or even 138× (live migration) faster than existing approaches. Our prototype on ARM CCA further confirms CPCs' outstanding security and flexibility.
You can also download the PDF file. I also add a paper timeline for OSDI/ATC'24.
This research has been accepted by USENIX ATC'24 and ChinaSys'24.
You can find the talk in Chinese at CPC-ChinaSys'24.
The talk in English will be available soon at CPC-ATC'24.
Email: chenjiahaosys@gmail.com
If you find this work helpful for your publication, please cite CPC's ATC'24 paper:
@inproceedings {chen2024cpc,
author = {Jiahao Chen and Zeyu Mi and Yubin Xia and Haibing Guan and Haibo Chen},
title = {{CPC}: Flexible, Secure, and Efficient {CVM} Maintenance with Confidential Procedure Calls},
booktitle = {2024 USENIX Annual Technical Conference (USENIX ATC 24)},
year = {2024},
isbn = {978-1-939133-41-0},
address = {Santa Clara, CA},
pages = {1065--1082},
url = {https://www.usenix.org/conference/atc24/presentation/chen-jiahao},
publisher = {USENIX Association},
month = jul
}