Live cVM Migration

Building on the core capabilities of cVMs, a secure hosting module and a TEE-side live migration module are introduced to enable uninterrupted and secure migration of cVMs between verified confidential computing environments. This design ensures that sensitive data within cVMs remains encrypted or isolated before, during, and after migration.

On Huawei Kunpeng processors, this function is implemented by enabling the live cVM migration module of the TEE Kit. It involves the following components:

• Live migration module in the TEE Kit
• MigcVM (dedicated for live migration) and mig-agent
• Live migration functions of the VM managers QEMU and kernel-kvm

Figure 1 Live cVM migration

As shown in the figure, live cVM migration consists of two parts:

1. Use a trusted proxy to perform remote attestation between the source and target and to negotiate the migration key.
2. During the migration, the TEE encrypts the memory, vCPU, and cVM status information using the negotiated migration key, so that the information is transmitted to the target node in ciphertext.

Benefits:

• Confidential computing cloud services are not interrupted during node fault remediation or node upgrades.
• Compatibility with mainstream cloud management tools (e.g., libvirt) reduces user costs.
• Sensitive data in cVMs is not disclosed on the basis of stability protection.
• This first commercial Arm-based live cVM migration solution delivers higher performance than peer offerings.