Inferensys

Glossary

Live Migration of Confidential VMs

The process of moving a running Confidential Virtual Machine from one physical host to another without compromising the encryption of its memory or the integrity of its Trusted Execution Environment.
Product manager reviewing autonomous task execution dashboard on laptop, completed tasks visible, casual work session.
SECURE WORKLOAD MOBILITY

What is Live Migration of Confidential VMs?

The process of relocating a running Confidential Virtual Machine between physical hosts without exposing its encrypted memory state or violating the integrity of its Trusted Execution Environment.

Live Migration of Confidential VMs is the orchestrated transfer of an active, hardware-encrypted virtual machine from one physical server to another while maintaining continuous memory encryption and a verifiable Trusted Computing Base (TCB). Unlike standard live migration, this process requires cryptographic re-establishment of the Trusted Execution Environment (TEE) on the destination host, ensuring the hypervisor never accesses plaintext data during the transition.

The mechanism relies on a secure handoff where the source platform's TEE securely transfers the VM Encryption Key to the destination platform's TEE only after successful remote attestation. This verifies the destination's hardware and firmware integrity before any memory pages are copied, preventing data exposure to a potentially compromised host and preserving the confidentiality and integrity of the workload throughout the relocation.

SECURE STATE TRANSFER

Key Characteristics of Confidential VM Live Migration

The defining characteristics of migrating a running Confidential VM between physical hosts while preserving the cryptographic integrity of its memory, the chain of attestation, and the isolation guarantees of its Trusted Execution Environment.

01

Encrypted State Transfer

The memory pages of the source CVM are encrypted using a transport-specific session key before transmission over the network. This ensures that the hypervisor or any network observer cannot inspect the plaintext data-in-use during the migration window.

  • Utilizes hardware-generated keys bound to the TEE for wrapping
  • Prevents man-in-the-middle attacks on live memory state
  • Maintains the data-in-use encryption invariant throughout the process
02

Attestation Continuity

The destination platform must undergo a fresh hardware attestation process before receiving the VM state. The source CVM verifies the destination's attestation report to confirm it is a genuine, untampered TEE with the correct security properties.

  • Destination TCB measurement is cryptographically verified
  • Prevents migration to a compromised or downgraded host
  • Extends the chain of trust across physical boundaries
03

Dirty Page Tracking

During iterative pre-copy migration, the hypervisor tracks memory pages modified by the running VM. These dirty pages are re-transmitted in successive rounds until the rate of modification converges, at which point a brief stop-and-copy phase finalizes the transfer.

  • Minimizes VM downtime during migration
  • Works in conjunction with memory encryption engines
  • Balances total migration time against service interruption
04

Platform Configuration Binding

The CVM's identity and sealed secrets are cryptographically bound to the firmware and hardware configuration of the TEE. Migration protocols must re-establish this binding on the destination without exposing sealed keys to the intermediate network or management stack.

  • Requires secure key migration or re-wrapping mechanisms
  • Prevents sealed data from being usable on unauthorized platforms
  • Maintains the integrity of the Trusted Computing Base (TCB)
05

Hypervisor Isolation Maintenance

A core guarantee of Confidential Computing is that the hypervisor is removed from the TCB. Live migration must not reintroduce hypervisor visibility into VM state. The migration protocol is designed so the hypervisor facilitates the transfer but cannot decrypt or modify the encapsulated VM context.

  • Hypervisor acts as an untrusted transport layer
  • All sensitive state remains opaque to the VMM
  • Preserves the security model of technologies like AMD SEV-SNP and Intel TDX
06

Post-Migration Re-Attestation

After the VM resumes on the destination host, a new attestation report is generated to provide a fresh proof of execution environment. Downstream services and clients can verify this report to ensure the CVM remains in a trusted state before re-establishing secure channels.

  • Enables continuous verification for zero-trust architectures
  • Critical for long-running, sensitive AI inference workloads
  • Integrates with SPIRE and attestation-aware service meshes
LIVE MIGRATION OF CONFIDENTIAL VMS

Frequently Asked Questions

Answers to the most common technical questions about moving encrypted virtual machines between physical hosts without breaking the trust boundary.

Live Migration of Confidential VMs is the process of relocating a running Confidential Virtual Machine (CVM) from one physical host to another without pausing the workload, while maintaining continuous data-in-use encryption and the integrity of the Trusted Execution Environment (TEE). The mechanism relies on the hardware security processor to securely export the VM's memory encryption key, wrapped by the destination platform's public key, ensuring the hypervisor never sees the plaintext key. The source TEE performs a cryptographic attestation of the destination platform to verify it is a genuine, untampered TEE before transferring any state. Memory pages are then streamed iteratively, with dirty pages re-sent, until a final brief pause cuts over execution to the target host, all while the guest OS and applications remain oblivious to the relocation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.