15-17 September 2021
Europe/Warsaw timezone

Hostile Multi-Tenancy on a Single Commodity GPU: Can it be secure?

17 Sep 2021, 13:15
2h
Workshop Discussion Topic Workshop

Speaker

Demi Obenour (Invisible Things Lab)

Description

While GPU multi-tenancy in the server world has grown rapidly, hostile multi-tenancy on single, commodity GPUs has been virtually unexplored. Existing multi-tenancy solutions for GPUs all fall short in at least one of the following areas: Minimizing attack surface, strongly isolating potentially hostile tenants, supporting consumer GPUs, and allowing parallel sharing of a single GPU between tenants. Containers and VirtualBox’s virtual GPU are not secure enough to protect against hostile workloads. VirGL, KVMGT, XenGT, and WebGL are all incredibly complex solutions with massive attack surface. AMD and NVIDIA already support GPU virtualization, but it is limited to costly enterprise cards and the NVIDIA solution requires proprietary drivers. Hyper-V GPU partitioning support is neither free software nor production ready. Finally, PCIe pass-through to a VM requires 1 GPU per tenant, which makes it insufficient for desktop partitioning solutions such as Qubes OS.

This workshop is a twofold challenge: First, determine if hostile multi-tenancy on a single commodity GPU can be implemented securely. If it can, figure out how; if it cannot, determine what would be needed from GPU vendors. The goal is to begin work towards a secure, capability-based GPU multiplexer that runs on commodity hardware and is agnostic to the specific CPU-side isolation mechanism, whether it be a microkernel, a hypervisor, or something else entirely.

Code of Conduct Yes
GSoC, EVoC or Outreachy No

Primary author

Demi Obenour (Invisible Things Lab)

Presentation Materials

2022 Platinum Sponsor
CodeWeavers

2022 Gold Sponsors
Arm

NVIDIA

AMD

Google

Microsoft

2022 Silver Sponsors
Collabora

Igalia

FEX-Emu

The Linux Foundation

2022 Bronze Sponsors
Khronos

2022 Supporters