CAGE: Complementing Arm CCA with GPU Extensions

Chenxu Wang

Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · Platform Security

Confidential computing stands as a cornerstone in modern data security, promising isolated and transparent execution environments that shield sensitive data from a spectrum of threats, including malicious applications, untrusted clients, and even cloud infrastructure providers. While major industry players like Intel, AMD, and IBM have introduced their own hardware primitives—such as Intel TDX, AMD SEV, and IBM PEF—Arm, a dominant force in the semiconductor industry, has responded with its Confidential Compute Architecture (CCA) and Realm Management Extensions (RME). Arm CCA introduces "realms" as the fundamental unit of a confidential environment, isolated by a lightweight hypervisor known as the Realm Management Monitor (RMM). However, a significant gap persists in Arm's confidential computing vision: the lack of robust, hardware-backed support for GPUs, which are indispensable for high-performance computing and AI workloads.