Rate This Document
Findability
Accuracy
Completeness
Readability

Overview

This document describes how to set up an inference environment with MX C500 passthrough on a virtCCA confidential virtual machine (cVM).

Device passthrough utilizes the PCIe protection controller (PCIPC) embedded in the PCIe root complex of the Kunpeng processor. A multiplexer is added to the PCIe bus to regulate communication between the processor and peripherals. Operating through the system memory management unit (SMMU), this multiplexer controls both inbound and outbound traffic. In confidential computing scenarios, PCIPC-enabled PCIe devices can be directly connected to the TEE, eliminating data forwarding or copying operations to protect the entire data link. Because of this, Kunpeng supports heterogeneous confidential computing without requiring any device reconstruction.

The device passthrough capability of virtCCA PCIPC offers security isolation and performance enhancements for PCIe devices, with the following benefits:

  • Secure isolation

    PCIPC-enabled security devices are accessible only within the TEE, not by host software.

  • High performance

    cVM passthrough eliminates performance overhead on the data plane compared to traditional encryption and decryption solutions.

  • Ease of use

    Compatibility with existing open-source OSs eliminates the need for kernel driver modifications.