This work addresses the vulnerability of large language model (LLM) agents deployed on edge devices to software attacks and malicious users, which can compromise system prompts, model weights, and runtime states. To mitigate these threats, the authors propose a strongly isolated execution framework based on Arm’s Confidential Computing Architecture (CCA), introducing for the first time a multi-confidential virtual machine (cVM) design at the edge. This architecture isolates the agent runtime, inference engine, and third-party applications into separately attested cVMs and establishes verifiable communication channels to ensure system-wide confidentiality and interaction integrity. Experimental evaluation demonstrates that the proposed approach incurs less than 5.15% runtime overhead, achieving near-native performance while substantially enhancing security, thereby validating its feasibility and effectiveness in real-world edge deployments.

Large Language Model (LLM) agents provide powerful automation capabilities, but they also create a substantially broader attack surface than traditional applications due to their tight integration with non-deterministic models and third-party services. While current deployments primarily rely on cloud-hosted services, emerging designs increasingly execute agents directly on edge devices to reduce latency and enhance user privacy. However, securely hosting such complex agent pipelines on edge devices remains challenging. These deployments must protect proprietary assets (e.g., system prompts and model weights) and sensitive runtime state on heterogeneous platforms that are vulnerable to software attacks and potentially controlled by malicious users. To address these challenges, we present AgenTEE, a system for deploying confidential agent pipelines on edge devices. AgenTEE places the agent runtime, inference engine, and third-party applications into independently attested confidential virtual machines (cVMs) and mediates their interaction through explicit, verifiable communication channels. Built on Arm Confidential Compute Architecture (CCA), a recent extension to Arm platforms, AgenTEE enforces strong system-level isolation of sensitive assets and runtime state. Our evaluation shows that such multi-cVMs system is practical, achieving near-native performance with less than 5.15% runtime overhead compared to commodity OS multi-process deployments.