Devlore: Device Interrupt Protection for Confidential VMs

Modern confidential computing executes sensitive computation in an abstraction called confidential VMs and protects from the hypervisor, host OS, and other co-resident VMs. It has been shown that an attacker can inject malicious interrupts to break the confidentiality and integrity of confidential VMs. We present Devlore, a device interrupt isolation mechanism that protects confidential VMs from interrupt manipulation attacks. Our design employs a delegate-but-check strategy by offloading interrupt management to the hypervisor, but adds correctness checks in the trusted software. We prototype our design on Arm Confidential Computing Architecture (CCA). We evaluate it on Arm FVP to demonstrate four diverse devices attached to confidential VMs and report costs on a Rock5b board. Our case studies show the feasibility of real-world use cases and that Devlore incurs minimal overheads of 0.06% for typical integrated GPU applications.

💡 Research Summary

The paper addresses a critical yet under‑explored attack surface in confidential computing: malicious injection of device interrupts by an untrusted hypervisor into Confidential Virtual Machines (CVMs) on Arm’s Confidential Computing Architecture (CCA). While prior work has focused on memory isolation—using encrypted bounce buffers or SMMU granule protection—to allow devices to interact with CVMs, the interrupt path remains fully under hypervisor control. Because the hypervisor configures the Generic Interrupt Controller (GIC) and virtual GIC (vGIC) registers, it can generate arbitrary physical or virtual interrupts, thereby violating the integrity of CVM execution. The authors illustrate concrete attacks using Linux driver examples (e.g., a counter driver and a Wi‑Fi chipset driver) where injected interrupts can falsely trigger events, corrupt state, or cause premature device readiness, effectively performing Iago‑style attacks on the guest.

To mitigate this, the authors propose DevL ore, a “delegate‑but‑check” mechanism. The core idea is to keep the bulk of interrupt management (registration, priority handling, physical‑to‑virtual conversion) in the existing hypervisor, but to insert a trusted verification layer in the Realm Management Monitor (RMM) that validates every hypervisor‑generated interrupt configuration before it reaches the CVM. The verification covers three phases: (1) ensuring that the interrupt number requested by a device lies within a pre‑allocated, device‑specific range; (2) confirming that a physical interrupt reported by the GIC actually originates from the corresponding device (by reading GIC status registers); and (3) checking that the virtual interrupt programmed into the vGIC respects the GIC specification (correct priority, routing, and acknowledgment semantics). If any check fails, the interrupt is dropped and logged.

The design is implemented on two platforms: the Arm Full‑System Virtual Platform (FVP) which emulates a CCA‑enabled processor, and a physical RK3588‑based Rock5b board (Armv8.2‑A). The prototype modifies roughly 7 kLOC across the hypervisor (KVM), firmware, and both host and guest Linux kernels, without requiring any changes to device drivers. Four devices of varying complexity—integrated GPU, UART, LED, and keyboard—are attached to CVMs to evaluate functional correctness and performance. Functional tests confirm that legitimate interrupts are delivered unchanged, while all injected fake interrupts are blocked. Performance measurements under sustained interrupt load show a maximum overhead of 1 %, and a realistic GPU benchmark (glmark2) incurs only 0.06 % overhead, demonstrating that the verification logic is lightweight.

The paper’s contributions are threefold: (1) defining the interrupt isolation primitive for CCA‑based CVMs; (2) introducing the delegate‑but‑check paradigm that balances security with minimal software changes; and (3) demonstrating that device interrupts can be isolated without driver modifications and with negligible performance impact. Limitations include reliance on the assumption that timer and inter‑processor interrupts cannot be abused (as shown in prior work), and the current unavailability of CCA in mainstream production CPUs, which confines evaluation to emulators and development boards. Micro‑architectural side‑channel attacks are also out of scope.

In conclusion, DevL ore fills a crucial gap in confidential computing by securing the interrupt path, complementing existing memory‑centric protections. Its lightweight verification in the RMM ensures that even a fully compromised hypervisor cannot subvert the execution integrity of CVMs, making it a promising building block for future Arm‑based confidential cloud and edge services.