Poster: Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA


Sina Abdollahi, Amir Al Sadi, David Kotz, Marios Kogias, and Hamed Haddadi. Poster: Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA. European Conference on Computer Systems (EuroSys), April 2026. ©Copyright the authors. No abstract appears in the ACM proceedings. Later revised as abdollahi:caec-tr.

Abstract:

Confidential Virtual Machines (CVMs) are increasingly adopted to protect sensitive workloads from privileged adversaries such as the hypervisor. While they provide strong isolation guarantees, existing CVM architectures lack first-class mechanisms for inter-CVM data sharing due to their disjoint memory model. Under this model, a CVM’s accessible memory is either shared with the hypervisor or protected from both the hypervisor and all other CVMs. This design simplifies reasoning about memory ownership; however, it fundamentally precludes plaintext data sharing between CVMs because all inter-CVM communication must pass through hypervisor-accessible memory, requiring costly encryption and decryption to preserve confidentiality and integrity.

In this paper, we introduce CAEC, a system that enables protected memory sharing between CVMs. CAEC builds on Arm Confidential Compute Architecture (CCA) and extends its firmware to support Confidential Shared Memory (CSM), a memory region securely shared between multiple CVMs while remaining inaccessible to the hypervisor and all non-participating CVMs. CAECs design is fully compatible with CCA hardware and introduces only a modest increase (4%) in CCA firmware code size.

Citable with [BibTeX]: \cite{abdollahi:caec-poster}

Projects: [splice]

Keywords: [privacy] [security]

Available from the author: [bib] [pdf]
This pdf is the only definitive version available.

Notes:

See this webpage for the CAEC paper and code: https://caec-paper.github.io/.
thumbnail image

[Kotz research]