Device Passthrough (Physical Functions)
Device passthrough utilizes the PCIe protection controller (PCIPC) embedded in the PCIe root complex of the Kunpeng processor. A selector is added to the PCIe bus to regulate communication between the processor and peripherals. Operating through the system memory management unit (SMMU), this selector controls both inbound and outbound traffic. In confidential computing scenarios, PCIPC-enabled PCIe devices can be directly connected to the TEE, eliminating data forwarding or copying operations to protect the entire data link. Because of this, Kunpeng supports heterogeneous confidential computing without requiring any device reconstruction.
The device passthrough capability of virtCCA PCIPC offers security isolation and performance enhancements for PCIe devices, with the following benefits:
- Secure isolation
PCIPC-enabled security devices can be accessed only within the TEE, not by host software.
- High performance
cVM passthrough eliminates performance loss on the data plane compared to traditional encryption and decryption solutions.
- Ease of use
Compatibility with existing open source OSs removes the requirement for kernel driver modifications.
