15-17 September 2021
Europe/Warsaw timezone

Hostile Multi-Tenancy on a Single Commodity GPU: Can it be secure?

17 Sep 2021, 13:15
2h
Workshop Discussion Topic Workshop

Speaker

Demi Obenour (Invisible Things Lab)

Description

While GPU multi-tenancy in the server world has grown rapidly, hostile multi-tenancy on single, commodity GPUs has been virtually unexplored. Existing multi-tenancy solutions for GPUs all fall short in at least one of the following areas: Minimizing attack surface, strongly isolating potentially hostile tenants, supporting consumer GPUs, and allowing parallel sharing of a single GPU between tenants. Containers and VirtualBox’s virtual GPU are not secure enough to protect against hostile workloads. VirGL, KVMGT, XenGT, and WebGL are all incredibly complex solutions with massive attack surface. AMD and NVIDIA already support GPU virtualization, but it is limited to costly enterprise cards and the NVIDIA solution requires proprietary drivers. Hyper-V GPU partitioning support is neither free software nor production ready. Finally, PCIe pass-through to a VM requires 1 GPU per tenant, which makes it insufficient for desktop partitioning solutions such as Qubes OS.

This workshop is a twofold challenge: First, determine if hostile multi-tenancy on a single commodity GPU can be implemented securely. If it can, figure out how; if it cannot, determine what would be needed from GPU vendors. The goal is to begin work towards a secure, capability-based GPU multiplexer that runs on commodity hardware and is agnostic to the specific CPU-side isolation mechanism, whether it be a microkernel, a hypervisor, or something else entirely.

Code of Conduct Yes
GSoC, EVoC or Outreachy No

Primary author

Demi Obenour (Invisible Things Lab)

Presentation Materials

2024 Platinum Sponsor
Collabora
2024 Gold Sponsors
Arm
Google
Microsoft
NVIDIA
2024 Silver Sponsors
AMD
FEX-Emu
Igalia
Qualcomm
The Linux Foundation
2024 Bronze Sponsors
CodeWeavers
Khronos Group
Libre Computer