Presentation
Principles for Enabling TEEs on Domain-Specific Accelerators
DescriptionModern disaggregated data centers have grown beyond CPU nodes to provide their customers with domain-specific accelerators (DSAs) such as GPUs, NPUs, and FPGAs. Existing CPU-based TEEs such as Intel SGX or AMD SEV does not provide sufficient protection. DSA-TEE such as Nvidia CC only addresses tightly coupled CPU-DSA systems with a propriety solution. On the other hand, existing academic proposals are tailored toward specific CPU-TEE platforms.
To bridge this lack of generality, in this paper, we investigate the feasibility of \textit{enclaved} execution across multi-tenant heterogeneous nodes, extending beyond TEE-enabled CPUs. Wide-scale TEE support for accelerators seems a straightforward solution but is far from being a reality.
In this paper, we investigate the fundamental design principles for enabling hardware-backed isolated and attestable instances, a.k.a., enclaves that provide isolation of code and data from attacker-controlled host software stack (OS/VMM). We prototype custom TEE hardware support for two kinds of accelerators: NPU and SSD with low overhead, that show the feasibility of adding TEE support to existing accelerators. Moreover, we evaluated our prototype with real-world AI and storage workload and observed 1-16% overhead.
To bridge this lack of generality, in this paper, we investigate the feasibility of \textit{enclaved} execution across multi-tenant heterogeneous nodes, extending beyond TEE-enabled CPUs. Wide-scale TEE support for accelerators seems a straightforward solution but is far from being a reality.
In this paper, we investigate the fundamental design principles for enabling hardware-backed isolated and attestable instances, a.k.a., enclaves that provide isolation of code and data from attacker-controlled host software stack (OS/VMM). We prototype custom TEE hardware support for two kinds of accelerators: NPU and SSD with low overhead, that show the feasibility of adding TEE support to existing accelerators. Moreover, we evaluated our prototype with real-world AI and storage workload and observed 1-16% overhead.
Event Type
Work-in-Progress Poster
TimeTuesday, June 256:00pm - 7:00pm PDT
LocationLevel 2 Lobby
AI
Autonomous Systems
Cloud
Design
EDA
Embedded Systems
IP
Security