π€ AI Summary
Centralized AI deployments entail exposing sensitive data and code to cloud providers, posing significant privacy and security risks. This work proposes the first end-to-end confidential AI workflow that systematically integrates CPU-based trusted execution environments (TEEs)βsuch as Intel TDX and AMD SEV-SNPβwith GPU TEEs on NVIDIA H100/H200 platforms, ensuring data confidentiality and integrity across both virtual machine and application layers. The study identifies and mitigates novel threats, including unauthorized access to confidential VM contents by Kubernetes administrators, by leveraging remote attestation and end-to-end encrypted execution to provide strong security guarantees. The proposed framework is evaluated on an integrated Intel TDX and NVIDIA H200 platform using industry-standard benchmarks, quantifying performance overhead and demonstrating the feasibility and robustness of the approach.
π Abstract
Large Language Models (LLMs) have rapidly proliferated, driving widespread adoption of AI applications. Most deployments rely on centralized infrastructures such as Microsoft Azure, Google Cloud, or AWS, requiring users to share sensitive data and training or fine-tuning code. This dependence raises significant security and privacy concerns, as cloud providers must be trusted to ensure confidentiality and integrity.
Trusted Execution Environments (TEEs) e.g., Intel SGX/TDX, AMD SEV-SNP, and ARM CCA have been introduced to mitigate these risks. More recently, NVIDIA has developed GPU TEEs (e.g., H100/H200), yet comprehensive evaluations of end-to-end workflows that integrate CPU and GPU TEEs remain limited. Critical aspects, including performance overhead, remote attestation, and security guarantees for AI/LLM applications, have not been sufficiently studied.
This paper addresses this gap by presenting an end-to-end workflow that combines CPU and GPU TEEs. We propose mechanisms to ensure confidentiality and integrity at both the VM level (via Intel TDX and AMD SEV-SNP) and the application level, highlighting vulnerabilities such as Kubernetes administrators' ability to access confidential VM contents. Finally, we evaluate the performance overhead of our system using industry benchmarks, focusing on configurations that integrate Intel TDX with NVIDIA H200 GPUs.