- The paper introduces Tessera, a reference architecture that uses an inline crypto engine to perform cache-line (64B) decryption for secure DNN weight streaming on UMA systems.
- It employs address-derived AES-CTR counters and a three-layer key hierarchy to enable just-in-time decryption, achieving 22.1 GB/s throughput with minimal latency overhead.
- Empirical evaluations demonstrate that Tessera eliminates up to 32× bandwidth amplification, significantly reduces DRAM energy consumption, and imposes negligible area and power overhead.
Secure Weight Streaming for UMA Edge Accelerators: The Tessera Reference Architecture
Motivation and Problem Statement
Contemporary edge AI accelerators, especially those underpinning applications in autonomous systems and portable medical diagnostics, face acute challenges regarding the confidentiality of DNN model weights when deployed on Unified Memory Architecture (UMA) systems. UMA topologies—prevalent in SoCs such as ARM Mali and NVIDIA Jetson—allow NPUs and CPUs to share the same physical DRAM, inherently exposing plaintext weights to adversaries capable of OS-level compromise or physical DRAM extraction. Existing defenses relying on full-memory encryption (e.g., AMD SME, Intel TME) operate at page granularity (4KB), derailing bandwidth efficiency for sub-page tensor fetches due to substantial traffic amplification. TEE-based mechanisms demand permanent memory carve-outs, impairing scarce RAM availability and flexibility.
The paper proposes Tessera, a vendor-agnostic reference architecture, leveraging an Inline Crypto Engine (ICE) interposed directly between the DRAM controller and NPU DMA fabric for near-line-rate, cache-line (64B)-granularity weight streaming decryption. This paradigm enables just-in-time plaintext delivery strictly into isolated NPU SRAM, abolishing both permanent DRAM carve-outs and bandwidth amplification from page-level encryption.
Figure 1: Tessera hardware pipeline: ICE sits between DRAM and NPU DMA, with AES session keys delivered directly from secure enclave and address-derived counters allowing parallel keystream generation; the SMMU firewall ensures strict SRAM isolation.
Architectural Details and Cryptographic Protocols
Tessera's architecture consists of several critical elements:
- Root-of-Trust Key Hierarchy: Utilizes a three-layer architecture with device-specific RSA keypairs (DIK) fused in eFuses, per-model AES session keys (MSK) provisioned via OAEP-encrypted blobs, and ICE registers directly loaded from a secure enclave. This eliminates key exposure in DRAM and enforces device and application binding at load time.
- Address-Derived AES-CTR: Tessera adopts address-derived counters for AES-256-CTR block generation, ensuring keystream uniqueness and resistance against address aliasing. This choice is justified formally; fixed-counter schemes are rigorously demonstrated to leak plaintext via XOR cancellation in sparse DNN tensors, making address-based derivation cryptographically essential for tile-level DRM.
- ICE Pipeline: Each 64-byte DMA burst is intercepted mid-AXI, with counter calculation, keystream generation, and XOR performed in parallel with DRAM fetch. The decrypted output is isolated in the NPU's SRAM via SMMU stream-ID firewalling, with hardware tagging for additional defense in depth.
The architecture's efficacy is corroborated through empirical and analytical evaluation:
- UMA Threat Model Realization: The paper demonstrates that full model weight extraction (e.g., ResNet-18, MobileNetV2, DistilBERT-Tiny) via /dev/mem on Jetson AGX Xavier is trivial for privileged attackers, without any exploit, affirming the need for cache-line level defenses as implemented in Tessera.
- Latency Overlap and Throughput: Measurements across three platforms (Intel i9-12900H, Jetson AGX Xavier & Orin) show that AES-256 keystream generation is consistently hidden behind DRAM fetch latency (Tks​<TDRAM​), with observed slack ranging from 26.4–67.4ns. Continuous DMA simulations yield <0.1% stall probability, confirming robust pipelining even under latency jitter.
- Bandwidth Amplification: Page-level encryption imposes up to 32× bandwidth amplification for small tensor fetches (batch normalization, depthwise convolution), whereas Tessera sustains 1× for all layer geometries, preserving theoretical memory bandwidth.
Strong Numerical Results and Security Implications
- Near-Line-Rate Streaming: Tessera projected throughput is 22.1 GB/s—98.4% of DDR5-4800 peak, with only a 1.6% overhead. This is in stark contrast with page-level encryption, which is structurally limited to only 4.5 GB/s for generic edge workloads.
- Energy Efficiency: Tessera saves over 22 mJ DRAM-energy per ResNet-18 inference compared to page-level ICE, positioning cache-line granularity as critical for battery-constrained edge devices.
- Area and Power Overheads: ICE area is less than 0.02% of the SoC die and power draw is below 100mW—functionally negligible compared to NPU and DRAM PHY envelopes.
- Security Guarantees: Tessera formally prevents plaintext leakage across sparse tensors; preemption-driven hardware scrubbing ensures no residual plaintext persists in NPU SRAM after context switches. The SMMU firewall and secure enclave protocols counter rogue DMA, compute hijack, and confused deputy attacks.
Practical and Theoretical Implications
Tessera addresses the unique threat landscape of edge UMA accelerators by introducing a flexible yet robust DRM primitive that does not trade away precious memory capacity, energy, or latency. Its cache-line granularity and hardware pipeline exploit architectural headroom unavailable in prior TEE or page-level ICE solutions. The elimination of bandwidth amplification has direct implications for scaling efficient, confidential DNN deployment in edge settings, particularly as model sizes and complexity increase.
Theoretically, Tessera's reliance on address-derived CTR counters sets a standard for cryptographic necessity in secured model streaming, urging reconsideration of legacy approaches used in memory encryption and DRM for AI edge devices.
Limitations and Future Directions
The paper identifies future extensions, such as authenticated, integrity-protected streaming (e.g., per-tile MACs and Merkle trees), layer-granularity key rotation, and hardware-mask side-channel resistance. Integration challenges associated with OEM provisioning and secure world firmware authentication are outlined as pre-silicon concerns.
Conclusion
Tessera introduces an effective architecture for secure, near-line-rate weight streaming in UMA edge accelerators, addressing vulnerability to OS compromise and physical access without the operational penalties inherent to prior page-level or enclave-based defenses. By confining plaintext exclusively to transient, isolated SRAM and leveraging cryptographic pipelining at cache-line granularity, Tessera delivers hardware-assisted DRM at 98.4% bandwidth efficiency, nullifying extractability for all evaluated threat vectors. Its design principles are poised to reshape future edge DNN deployments towards zero-overhead, cryptographically robust model confidentiality (2604.23205).