Go to DBLP homepageCubeVisor: A Multi-realm Architecture Design for Running VM with ARM CCA
Abstract: Cloud computing nowadays provides flexible and scalable computing services, using different hardware platforms, including ARM. Virtualization allows multiple virtual machines (VMs) to share the physical resources of a host machine. However, these technologies have security risks. The hypervisor is the software that controls VMs, and it can be exploited or manipulated by hackers or untrusted providers. ARM CCA, a novel feature of ARMv9-A, allows confidential VMs to run in a new security state called realm. However, the current CCA prototype still has some problems, including risks brought by external libraries, single point of failure, highly privileged TF-RMM and costly world switch. In this paper, we introduce CubeVisor, a new secure virtualization architecture based on ARM CCA. It uses the idea of the Cube, which is a combination of a hypervisor and a VM, protecting each Cube from other Cubes or components. The CubeVisor also improves performance by optimizing memory allocation and world-switching processes. We implement prototypes on both software-based ARM FVP platform and hardware-based ARM Cortex-A platform for evaluations. The results show that the CubeVisor can protect VMs well and has very low overhead compared to the CCA based virtualization methods.
External IDs:dblp:conf/acsac/ChenZYJJZ24
Loading