What problem does this paper attempt to address?

The problem that this paper attempts to solve is: in the existing Trusted Execution Environments (TEEs), tenants cannot use accelerators (such as GPUs and FPGAs) securely, which limits the security and flexibility of cloud users when handling high - performance computing tasks. Specifically, although some existing CPUs have successfully implemented confidential computing, these technologies have not been extended to accelerator devices, causing users to face a dilemma: either execute the workload outside the TEE, exposing it to the risk of attack; or execute these tasks on a lower - performance CPU. To solve this problem, the paper re - considers the upcoming Arm Confidential Computing Architecture (CCA) design, especially for the TEE features in the Armv9 - A architecture. The authors observe that CCA provides appropriate abstractions and mechanisms to incorporate accelerators as a first - level abstraction into the Confidential Virtual Machine (VM). Based on this observation, they build a solution named ACAI, which solves multiple key security vulnerabilities in device - side access by extending the security invariants of CCA, thereby achieving the secure use of accelerators. ### Main Contributions 1. **Proposing ACAI**: This is the first system to show how to achieve secure PCIe device access in an Arm CCA - based confidential VM. 2. **Innovative Security Invariants**: ACAI identifies and remedies security vulnerabilities in Arm CCA, enabling secure peripheral execution without changing Arm CCA - compatible hardware or accelerator hardware that supports TEE. 3. **Feasibility Evaluation**: Experimental results show that ACAI can not only achieve its security and compatibility goals, but also be feasible in terms of performance. Compared with CPU and accelerator execution without TEE protection, ACAI brings an average overhead of 43.5% and 12.1% for GPU and FPGA respectively. At the same time, it has almost no impact on other parts of the system, with only 3.8% and 1.9% additional overhead when using GPU and FPGA respectively. ### Solution Overview ACAI ensures the secure access of accelerators in the following ways: - **Shared Protection Area**: Set up a shared protection area between the realm VM and the corresponding accelerator to ensure that only the specified device and realm VM can access it. - **Authentication and Exclusive Ownership**: Each accelerator is assigned a unique, non - forgerable identity when attached to the realm VM, and can only be configured and managed by one owner realm VM. - **Synchronization Mapping Table**: Ensure that the stage 2 translation tables of RMM and SMMU are always synchronized to prevent split - view attacks. - **Protect SMMU**: Mark the data structure of SMMU as accessible only in root mode through GPT to prevent malicious hypervisor from tampering with SMMU configuration. Through these measures, ACAI effectively solves the problem of secure access of accelerators in the confidential computing environment, providing cloud users with a solution that is both secure and efficient.