

# **Core Slicing:** Closing the gap between leaky confidential VMs and bare-metal cloud

Ziqiao Zhou, Yizhou Shan, Weidong Cui, Xinyang Ge, Marcus Peinado, Andrew Baumann





### Background: Confidential VMs

- Goal: Remove hypervisor from TCB
- **Solution**: Deprivilege hypervisor
- Examples:
  - AMD SEV, Intel TDX, Arm CCA



### Background: Confidential VMs

- Goal: Remove hypervisor from TCB
- **Solution**: Deprivilege hypervisor
- Examples:
  - AMD SEV, Intel TDX, Arm CCA



### Background: Confidential VMs

- Goal: Remove hypervisor from TCB
- **Solution**: Deprivilege hypervisor
- Examples:
  - AMD SEV, Intel TDX, Arm CCA

Hypervisor still runs in the same core with VMs



### Never-ending side channels

### Never-ending side channels





20

### Never-ending side channels





| Transient execution attacks                     | CVE                              | Intel | AMD | ARM |
|-------------------------------------------------|----------------------------------|-------|-----|-----|
| Meltdown/Supervisor-only bypass                 | CVE-2017-5754                    | Y     | Ν   | Y   |
| Bound check bypass (Spectre-1)                  | CVE-2017-5753                    | Y     | Υ   | Y   |
| Branch Target Injection (Spectre-2)             | CVE-2017-5715                    | Y     | Υ   | Y   |
| Speculative Store Bypass (Spectre-NG-4)         | CVE-2018-3639                    | Y     | Y   | Y   |
| Rogue System Register Read (Spectre-NG-3a)      | CVE-2018-3640                    | Y     | Ν   | Y   |
| Lazy FP State Restore (Spectre-NG)              | CVE-2018-3665                    | Y     | Ν   | Ν   |
| ForeShadow                                      | CVE-2018-3615                    | Y     | Μ   | U   |
| Bounds Check Bypass Store                       | CVE-2018-3693                    | Y     | Υ   | Y   |
| Straight-line Speculation                       | CVE-2021-26341                   | Y     | Y   | Y   |
| Return Stack Buffer (Spectre-RSB)               | CVE-2022-29901<br>CVE-2022-23824 | Y     | Y   | Y   |
| Speculative Vectorization Exploits (Spectre-HD) | ( <u>2023-02</u> )               | Y     | Y   | Y   |
|                                                 |                                  |       |     |     |

•••

### Confidential VMs: Reactive mitigations



### Confidential VMs: Reactive mitigations



### Confidential VMs: Reactive mitigations

"Intel believes removing all incidental channels from computing systems is not in customer's best interests and is not feasible, nor is it feasible to completely prevent the intentional misuse of incidental channels." -Intel

### How to eliminate side-channel attacks

• Adversary-controlled code in the same core



### How to eliminate side-channel attacks

• Adversary-controlled code in the same core





### Existing solution: bare-metal cloud



### Existing solution: bare-metal cloud

- Pros: Strong isolation, predicable performance
- Cons: Lack of flexibility



### Existing solution: bare-metal cloud

- Pros: Strong isolation, predicable performance
- Cons: Lack of flexibility

We want "bare-metal" security and performance, but at sub-machine granularity.





#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload

| VM<br>2 cores |      | VM<br>1c | host<br>OS |  |  |  |
|---------------|------|----------|------------|--|--|--|
| Hypervisor    |      |          |            |  |  |  |
| core          | core | core     | core       |  |  |  |
| cache         |      |          |            |  |  |  |
| DRAM          |      |          |            |  |  |  |

#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload



#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload



#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload



Hypervisor is only used for isolation.

#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload

Hypervisor is the source of CPU sharing.

Hypervisor is only used for isolation.



#### Resources sold should match those available.

- Discrete cores
  - No time slicing
- Static memory
  - No ballooning or demand paging
- I/O offload

Hypervisor is the source of CPU sharing.

Hypervisor is only used for isolation.





# Idea of core slicing

#### ✓ Each slice gets a physical partition

- Exclusive CPU
  - No CPU virtualization layer
- Exclusive DRAM partition
  - No additional memory translation
- Directly access dedicated I/O devices
  - e.g., access virtual devices via SR-IOV





## Idea of core slicing

#### ✓ Each slice gets a physical partition

- Exclusive CPU
  - No CPU virtualization layer
- Exclusive DRAM partition
  - No additional memory translation
- Directly access dedicated I/O devices
  - e.g., access virtual devices via SR-IOV



# Idea of core slicing

#### ✓ Each slice gets a physical partition

- Exclusive CPU
  - No CPU virtualization layer
- Exclusive DRAM partition
  - No additional memory translation
- Directly access dedicated I/O devices
  - e.g., access virtual devices via SR-IOV

#### ✓ Hardware-assisted isolation



## Two lightweight hardware features

#### • Per-core lockable filter registers

- Defines hardware resources (e.g., DRAM)
- Locked until a secure reset
- A secure **per-core reset** unit
  - Clear per-core state

## Two lightweight hardware features

- Per-core lockable filter registers
  - Defines hardware resources (e.g., DRAM)
  - Locked until a secure reset



- A secure **per-core reset** unit
  - Clear per-core state

## Two lightweight hardware features

- Per-core lockable filter registers
  - Defines hardware resources (e.g., DRAM)
  - Locked until a secure reset
- A secure **per-core reset** unit
  - Clear per-core state





- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges

- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges



- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges



- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges



- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges



- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges





- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges





- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges





- Per-core lockable filter registers
  - Allowlist and denylist for DRAM ranges





®

# Slicing other resources

- Interrupts
- I/O devices
- Cache
  - SiFive: way masking for the shared cache.
  - Intel: Cache Allocation Technology (CAT).
- DMA
  - RISC-V: IOPMP
  - X86: IOMMU















| <ul> <li>PMP for</li> <li>DRAM isolation</li> <li>Memory-mapped</li> <li>MSRs</li> <li>IO</li> </ul> | <pre>verification success.<br/>hart_count = 2<br/>mem_size = 20000000<br/>digest:<br/>ac08e3f644174b86e10284fca26aba368b79d89404342c9f80b135daa829a7616e546357<br/>&gt;&gt; slice help<br/>[72.740933] slice_help(): slice STOP stop a slice.<br/>[72.744335] slice_help(): slice START start a slice.<br/>[72.745143] slice_help(): slice CREATE create a slice.<br/>[72.745744] slice_help(): slice DELETE delete a slice.<br/>[72.746607] slice_help(): slice ATTEST attest a slice.</pre> |                                |                  |                                          |
|------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|------------------|------------------------------------------|
| • interrupts                                                                                         | Jan 1 00:00:02 T                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Login[83]: root login on 'con' | Jan 1 00:00:05   | <pre>login[90]: root login on 'cor</pre> |
|                                                                                                      | ~ # more /proc/cp                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | puinfo                         | ~ # cat /proc/cp | puinfo                                   |
|                                                                                                      | processor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 0                              | processor        | : 0                                      |
|                                                                                                      | hart                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 1                              | hart             | : 3                                      |
|                                                                                                      | isa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | rv64imafdc                     | isa              | : rv64imafdc                             |
|                                                                                                      | mmu                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | sv39                           | mmu              | : sv39                                   |
|                                                                                                      | uarch                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | sifive,rocket0                 | uarch            | : sifive,rocket0                         |
|                                                                                                      | processor                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 1                              | processor        | : 1                                      |
|                                                                                                      | hart                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 2                              | hart             | : 4                                      |
|                                                                                                      | isa                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | rv64imafdc                     | isa              | : rv64imafdc                             |
|                                                                                                      | mmu                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | sv39                           | mmu              | : sv39                                   |
|                                                                                                      | uarch                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | sifive rocket0                 | uarch            | : sifive rocket0                         |

| PMP | for |
|-----|-----|
|-----|-----|

- DRAM isolation
- Memory-mapped
  - MSRs
  - 10
  - interrupts

| Verification Suc   |                                           |                     | SHIMME CALCULATION                                                                                              | Millionana (20) |
|--------------------|-------------------------------------------|---------------------|-----------------------------------------------------------------------------------------------------------------|-----------------|
| $nart_count = 2$   | 2000                                      |                     |                                                                                                                 |                 |
| mem_size = 20000   | 0000                                      |                     |                                                                                                                 |                 |
| digest:            |                                           |                     |                                                                                                                 | < 1000          |
| ac08e3+644174b86   | 5e10284+ca26aba368b79d89404342c91         | -80b135daa829a7616e | 546357                                                                                                          |                 |
| >> slice help      |                                           |                     |                                                                                                                 | Sel South       |
| C [72,740933] slic | e help(): slice STOP stop a               | lice                |                                                                                                                 |                 |
| [72.744335] slid   | e help(): slice START start a             | slice.              |                                                                                                                 | u - a - u       |
| [72.745143] slid   | e help(): slice CREATE create             | a slice.            | - all and line and another                                                                                      |                 |
| [72.745744] slid   | e_help(): slice DELETE delete             | e a slice.          | The second se |                 |
| [72.746607] slic   | <pre>ce_help(): slice ATTEST attest</pre> | : a slice.          |                                                                                                                 | A DOMENT OF     |
| Jan 1 00:00:0      | 2 login[83]: root login on 'o             | con' Jan 100:       | 00:05 login[90]: root login                                                                                     | on 'con         |
| ~ # more /proc     | /cpuinfo                                  | ~ # cat /p          | roc/cpuinfo                                                                                                     |                 |
| processor          | : 0                                       | processor           | : 0                                                                                                             |                 |
| hart               | : 1                                       | hart                | : 3                                                                                                             |                 |
| isa                | : rv64imafdc                              | isa                 | : rv64imafdc                                                                                                    |                 |
| mmu                | : sv39                                    | mmu                 | : sv39                                                                                                          |                 |
| uarch              | : sifive,rocket0                          | uarch               | : sifive,rocket0                                                                                                |                 |
| processor          | : 1                                       | processor           | : 1                                                                                                             |                 |
| hart               | : 2                                       | hart                | · 4                                                                                                             |                 |
| isa                | : rv64imafdc                              | isa                 | : rv64imafdc                                                                                                    |                 |
|                    |                                           | 150                 |                                                                                                                 |                 |
| mmu                | · sv39                                    | l mmii              | · sv39                                                                                                          |                 |

| <ul> <li>PMP for</li> <li>DRAM isolation</li> <li>Memory-mapped</li> <li>MSRs</li> <li>IO</li> </ul> | <pre>verification succes<br/>hart_count = 2<br/>mem_size = 20000000<br/>digest:<br/>ac08e3f644174b86e10<br/>&gt;&gt; slice help<br/>[72.740933] slice_h<br/>[72.744335] slice_h<br/>[72.745143] slice_h<br/>[72.745744] slice_h<br/>[72.746607] slice_h</pre> | s.<br>284fca26aba368b79d89404342c9f80b135<br>elp(): slice STOP stop a slice.<br>elp(): slice START start a slice<br>elp(): slice CREATE create a sli<br>elp(): slice DELETE delete a sli<br>elp(): slice ATTEST attest a sli | idaa829a7616e546357<br><br>.ce .<br>.ce .<br>.ce . |                                                   |
|------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|---------------------------------------------------|
| <ul> <li>interrupts</li> </ul>                                                                       | Jan 1 00:00:02 l<br>~ # more /proc/cp<br>processor :                                                                                                                                                                                                          | ogin[83]: root login on 'con'<br>ouinfo<br>0                                                                                                                                                                                 | Jan 1 00:00:05<br>~ # cat /proc/cp                 | login[90]: root login on 'con<br>uinfo<br>: 0     |
| Exclusive resources                                                                                  | hart :<br>isa :<br>mmu :<br>uarch :                                                                                                                                                                                                                           | 1<br>rv64imafdc<br>sv39<br>sifive,rocket0                                                                                                                                                                                    | hart<br>isa<br>mmu<br>uarch                        | : 3<br>: rv64imafdc<br>: sv39<br>: sifive,rocket0 |
|                                                                                                      | processor :<br>hart :<br>isa :<br>mmu :                                                                                                                                                                                                                       | 1<br>2<br>rv64imafdc<br>sv39<br>cifivo_recket0                                                                                                                                                                               | processor<br>hart<br>isa<br>mmu                    | : 1<br>: 4<br>: rv64imafdc<br>: sv39              |

| <ul><li>PMP for</li><li>DRAM isolation</li><li>Memory-mapped</li></ul> | <pre>verification succes<br/>hart_count = 2<br/>mem_size = 20000000<br/>digest:<br/>ac08e3f644174b86e10<br/>&gt;&gt; slice help<br/>[72.740933] slice_b<br/>[72.744335] slice b</pre> | ss.<br>9<br>9284fca26aba368b79d89404342c9f80b135<br>9elp(): slice STOP stop a slice.<br>9elp(): slice START start a slice | 5daa829a7616e546357<br>9.         |                                            |
|------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|-----------------------------------|--------------------------------------------|
| <ul><li>MSRs</li><li>IO</li></ul>                                      | [72.745143] slice_H<br>[72.745744] slice_H<br>[72.745744] slice_H                                                                                                                     | <pre>nelp(): slice CREATE create a sli<br/>nelp(): slice DELETE delete a sli<br/>nelp(): slice ATTEST attact a sli</pre>  | ice.                              |                                            |
| <ul> <li>interrupts</li> </ul>                                         | Jan 1 00:00:02 7<br>~ # more /proc/cp                                                                                                                                                 | login[83]: root login on 'con'<br>puinfo                                                                                  | Jan 1 00:00:05<br>~ # cat /proc/c | login[90]: root login on 'con<br>puinfo    |
|                                                                        | processor<br>hart                                                                                                                                                                     | : 0<br>: 1                                                                                                                | processor<br>hart                 | : 0<br>: 3                                 |
| Exclusive resources                                                    | isa<br>mmu<br>uarch                                                                                                                                                                   | : rv64imafdc<br>: sv39<br>: sifive,rocket0                                                                                | isa<br>mmu<br>uarch               | : rv64imafdc<br>: sv39<br>: sifive,rocket0 |
|                                                                        | processor                                                                                                                                                                             | : 1                                                                                                                       | processor                         | : 1                                        |
| Bare-metal performance                                                 | isa<br>mmu                                                                                                                                                                            | : rv64imafdc<br>: sv39<br>: cifivo rockot0                                                                                | isa<br>mmu                        | : rv64imafdc<br>: sv39                     |

### Summary

- TEE that avoids side channels by design
  - No virtualization overhead
  - Resources partitioned at core granularity
- Two lightweight hardware features
  - Lockable filter registers
  - Per-core reset
- More details in the paper, including:
  - Attestation and memory encryption
  - Extending the design beyond RISC-V
  - Evaluation of limited registers and bare-metal performance

#### Artifact available at <a href="https://github.com/msrssp/core-slicing">https://github.com/msrssp/core-slicing</a>