A confidential virtual machine (CVM) uses a hardware-rooted key to encrypt customer data written to memory. For enhanced security, the CVM makes the plaintext-to-ciphertext map depend on the physical address (PA) of the memory location. Peripheral devices operate not in PA space but in input-output address space. Currently, peripherals can only perform memory accesses without encryption, or need to use a two-pass, high-latency, power-intensive encryption procedure involving a transport key distinct from the hardware-rooted key.
This disclosure describes techniques to enable a peripheral device of a confidential virtual machine to access encrypted memory using a single encryption pass. The techniques enable secure, high-speed computing at low power consumption. Address translation between input-output and physical address spaces is accounted for such that peripherals continue to work in input-output address space while encryption continues to depend on the physical address of the data. The techniques obviate compute-intensive transport keys subsidiary to hardware-rooted virtual machine keys.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Orr, Marc S.; Mathur, Rachit; Aktas, Erdem; and Honig, Andrew, "Encrypted Memory Access by Peripheral Devices of a Confidential Virtual Machine", Technical Disclosure Commons, (June 27, 2022)