How Baidu’s 7th‑Gen AI Confidential VM Delivers Full‑Stack Secure Compute

Enterprises moving sensitive AI workloads to the cloud face a new dilemma: they must protect data while still achieving high performance. Confidential computing addresses this by creating a hardware‑based Trusted Execution Environment (TEE) that isolates data even during use, shifting the security boundary from the system perimeter to the compute itself.

7th‑Gen AI Confidential VM Overview

Full‑link confidential computing: CPU TDX + GPU Confidential Computing (GPU CC) + encrypted PCIe (PPCIe) links.

Elastic multi‑GPU scaling: Supports NVLink/NVSwitch for high‑speed GPU interconnect.

Full resource provisioning: DPU offloads I/O, delivering complete CPU resources to the VM.

Trusted verification: Dual remote attestation using TDX and GPU CC.

Ready‑to‑use environment: Pre‑installed latest LTS kernel, drivers, and CUDA.

Limitations of the 6th‑Gen VM

The previous generation only supported a single GPU, targeting small models (7B/13B) and lacking DPU‑based I/O offload, which limited resource delivery and elasticity.

Breakthroughs in the 7th‑Gen VM

Multi‑GPU support: NVLink/NVSwitch enable high‑bandwidth, low‑latency GPU clusters.

Full resource delivery: CPU, memory, and I/O are all provisioned without bottlenecks.

vDPA data‑path offload: Data is handed to the BlueField DPU via vhost‑vDPA, while control remains in the virtualized stack, achieving performance‑elasticity balance.

Protected PCIe (PPCIe): Hardware‑encrypted links between CPU and GPU prevent boundary leakage on the PCIe bus.

vDPA vs. VFIO – Design Trade‑offs

VFIO offers near‑bare‑metal performance by directly passing devices to the VM, but it prevents live migration. vDPA decouples the data path (handled by the DPU) from the control path (managed by the hypervisor), allowing both high performance and flexible scheduling.

Implementation details include:

BlueField DPU uses vhost‑vDPA together with a Virtio Full Emulation (VFE) module.

Communication between VFE and QEMU occurs via vhost‑user, while VFIO manages device resources.

Page‑per‑vQ and host‑notifier features reduce VM exits, boosting I/O‑intensive workloads.

Key Challenges and Solutions

Memory marking errors: Mis‑labelled notify regions triggered TDX access violations. Baidu’s firmware now correctly marks shared memory during boot.

Address‑space conflicts with multiple GPUs: Large BAR windows exceed low‑address space, causing legacy firmware (e.g., SeaBIOS) to map them via indirect PCI config accesses, leading to VM exits. Firmware optimizations in TDVF identify and handle these regions, and QEMU patches (commit ffa8a3e… and 55fa4be…) fix the notify‑region handling.

Performance Evaluation

Memory bandwidth and latency with TDX enabled are virtually indistinguishable from standard VMs, keeping high‑bandwidth workloads within expected variance. Virtio disk and network performance remains on par with regular KVM instances. GPU compute (e.g., GEMM) achieves ~99% of native throughput, with H2D/D2H bandwidth varying by GPU model but remaining acceptable for most AI training scenarios.

Conclusion

The 7th‑generation AI confidential VM demonstrates that security need not sacrifice performance. By extending trusted boundaries across CPU, memory, I/O, and GPU, Baidu Cloud provides a secure, high‑performance foundation for sensitive AI workloads, and the engineering contributions (firmware fixes and QEMU patches) are shared with the open‑source community.