AgenTEE: Confidential LLM Agent Execution on Edge Devices

TL;DR

AgenTEE enables secure execution of large language model agents on edge devices by isolating sensitive components within confidential virtual machines, balancing security and performance.

Contribution

It introduces a system that deploys agent pipelines on edge devices using independently attested cVMs built on Arm CCA, ensuring security with minimal performance overhead.

Findings

Achieves near-native performance with less than 5.15% overhead.

Provides strong isolation of sensitive assets and runtime state.

Demonstrates practical deployment on Arm-based edge devices.

Abstract

Large Language Model (LLM) agents provide powerful automation capabilities, but they also create a substantially broader attack surface than traditional applications due to their tight integration with non-deterministic models and third-party services. While current deployments primarily rely on cloud-hosted services, emerging designs increasingly execute agents directly on edge devices to reduce latency and enhance user privacy. However, securely hosting such complex agent pipelines on edge devices remains challenging. These deployments must protect proprietary assets (e.g., system prompts and model weights) and sensitive runtime state on heterogeneous platforms that are vulnerable to software attacks and potentially controlled by malicious users. To address these challenges, we present AgenTEE, a system for deploying confidential agent pipelines on edge devices. AgenTEE places the agent runtime, inference engine, and third-party applications into independently attested confidential virtual machines (cVMs) and mediates their interaction through explicit, verifiable communication channels. Built on Arm Confidential Compute Architecture (CCA), a recent extension to Arm platforms, AgenTEE enforces strong system-level isolation of sensitive assets and runtime state. Our evaluation shows that such multi-cVMs system is practical, achieving near-native performance with less than 5.15% runtime overhead compared to commodity OS multi-process deployments.