隨著 GPU 被廣泛應用於嵌入式系統、個人電腦及大型伺服器等 平台,其作為高效能加速器的重要性日益提升。然而,隨著使用量 成長,GPU 執行的資料其安全性也成為關鍵議題。與此同時,Arm Confidential Compute Architecture (CCA) 提供針對 CPU 工作負載的隔 離保證,但預設將包含 GPU 在內的外部裝置視為不受信任,導致難以 將 CCA 的保護模型延伸至 GPU 計算。我們提出 SENTRYREALM,一套 輕量級架構,旨在於 Arm CCA 架構下實現 GPU 工作負載的機密運算。 SentryRealm 可確保 GPU 應用程式在隔離的記憶體區域中執行,並於 整體執行流程中保護 GPU buffer 中敏感資料的完整性與機密性。我們 的實作證明,此類安全保證能以極低的效能開銷達成。;Nowadays, GPUs have become indispensable accelerators across a wide range of platforms, from embedded systems to personal computers and large scale servers. As GPU usage continues to grow, the security of data offloaded to the GPU for execution is becoming a critical concern. In parallel, the Arm Confidential Compute Architecture (CCA) introduces strong isolation guar antees for CPU workloads, yet treats external peripherals—including GPUs —as untrusted by default. This creates a fundamental challenge in extend ing CCA’s protection model to GPU-based computation. We present SEN TRYREALM, a lightweight architecture designed to enable confidential comput ing for GPU workloads under the Arm CCA framework. SENTRYREALM en sures that GPU applications execute in isolated memory regions and protects the integrity and confidentiality of sensitive data within GPU buffer through out the entire GPU execution path. Our implementation demonstrates that these security guarantees can be achieved with minimal performance over head.
