This work addresses the challenge of jointly protecting sensitive data and proprietary code when mutually distrustful organizations collaborate in computation. The authors propose a confidential virtual machine with a dual-layer isolation architecture (2cVM), which, for the first time, enables mutual isolation among multiple parties within a single virtual machine. The lower layer leverages AMD SEV-SNP to provide hardware-enforced memory protection, while the upper layer employs the WebAssembly component model to realize fine-grained code sandboxing. An immutable manifest binds participants, components, data flows, and outputs, with security policies embedded into remote attestation to guarantee each party full control over its own assets and independent verifiability. Experimental results demonstrate practical feasibility on commodity hardware, with negligible overhead for sequential memory access and at most approximately 2× latency for pointer-intensive workloads.

Collaborative computation across organizations is often constrained by the need to process sensitive data and proprietary code without exposing them to untrusted infrastructure or participants. Cryptographic approaches such as fully homomorphic encryption and secure multi-party computation provide strong confidentiality but remain impractical for general workloads due to their extreme computational cost. We present the Two-Way Confidential Virtual Machine (2cVM), a two-layer architecture that pairs a hardware trusted execution environment with an intra-workload isolation layer. Unlike regular Confidential Virtual Machines, 2cVM enforces mutual isolation between co-resident workloads, ensuring that participants retain control over their data and code. All computation in 2cVM is governed by a Commitment Manifest that enumerates participants, component composition, permitted data channels, and authorized outputs; the manifest is locked to the VM and incorporated into attestation evidence, making the policy immutable and independently verifiable throughout the VM's lifetime. A proof-of-concept realization combines AMD SEV-SNP for hardware protection with the WebAssembly Component Model for fine-grained sandboxing of participant code. Evaluation on commodity hardware across four benchmark classes shows that the two isolation layers do not accumulate linearly: once a workload executes inside the WebAssembly sandbox, the marginal cost of enabling hardware memory protection is small. Overhead is workload-dependent, governed primarily by memory access pattern, ranging from negligible for sequential workloads to approximately 2x for irregular, pointer-chasing access patterns. These results indicate that 2cVM provides a practical and verifiable foundation for privacy-preserving collaborative computation.