15-17 September 2021
Europe/Warsaw timezone

Hostile Multi-Tenancy on a Single Commodity GPU: Can it be secure?

17 Sep 2021, 13:15
Workshop Discussion Topic Workshop


Demi Obenour (Invisible Things Lab)


While GPU multi-tenancy in the server world has grown rapidly, hostile multi-tenancy on single, commodity GPUs has been virtually unexplored. Existing multi-tenancy solutions for GPUs all fall short in at least one of the following areas: Minimizing attack surface, strongly isolating potentially hostile tenants, supporting consumer GPUs, and allowing parallel sharing of a single GPU between tenants. Containers and VirtualBox’s virtual GPU are not secure enough to protect against hostile workloads. VirGL, KVMGT, XenGT, and WebGL are all incredibly complex solutions with massive attack surface. AMD and NVIDIA already support GPU virtualization, but it is limited to costly enterprise cards and the NVIDIA solution requires proprietary drivers. Hyper-V GPU partitioning support is neither free software nor production ready. Finally, PCIe pass-through to a VM requires 1 GPU per tenant, which makes it insufficient for desktop partitioning solutions such as Qubes OS.

This workshop is a twofold challenge: First, determine if hostile multi-tenancy on a single commodity GPU can be implemented securely. If it can, figure out how; if it cannot, determine what would be needed from GPU vendors. The goal is to begin work towards a secure, capability-based GPU multiplexer that runs on commodity hardware and is agnostic to the specific CPU-side isolation mechanism, whether it be a microkernel, a hypervisor, or something else entirely.

Code of Conduct Yes
GSoC, EVoC or Outreachy No

Primary author

Demi Obenour (Invisible Things Lab)

Presentation Materials

2023 Platinum Sponsor
2023 Gold Sponsors
2023 Silver Sponsors
The Linux Foundation
2023 Bronze Sponsors
Khronos Group
2023 Supporters
A Coruña Turismo
Raspberry Pi