Bridge the Future: High-Performance Networks in Confidential VMs without Trusted I/O devices
arxiv(2024)
摘要
Trusted I/O (TIO) is an appealing solution to improve I/O performance for
confidential VMs (CVMs), with the potential to eliminate broad sources of I/O
overhead. However, this paper emphasizes that not all types of I/O can derive
substantial benefits from TIO, particularly network I/O. Given the obligatory
use of encryption protocols for network traffic in CVM's threat model, TIO's
approach of I/O encryption over the PCIe bus becomes redundant. Furthermore,
TIO solutions need to expand the Trusted Computing Base (TCB) to include TIO
devices and are commercially unavailable.
Motivated by these insights, the goal of this paper is to propose a software
solution that helps CVMs immediately benefit from high-performance networks,
while confining trust only to the on-chip CVM. We present FOLIO, a software
solution crafted from a secure and efficient Data Plane Development Kit (DPDK)
extension compatible with the latest version of AMD Secure Encrypted
Virtualization (SEV), a.k.a., Secure Nested Paging (SNP). Our design is
informed by a thorough analysis of all possible factors that impact SNP VM's
network performance. By extensively removing overhead sources, we arrive at a
design that approaches the efficiency of an optimal TIO-based configuration.
Evaluation shows that FOLIO has a performance dip less than 6
optimal TIO configuration, while only relying on off-the-shelf CPUs.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要