Hostile Multi-Tenancy on a Single Commodity GPU: Can it be secure?

Demi Obenour

Playlists: 'xdc2021' videos starting here / audio

While GPU multi-tenancy in the server world has grown rapidly, hostile multi-tenancy on single, commodity GPUs has been virtually unexplored. Existing multi-tenancy solutions for GPUs all fall short in at least one of the following areas: Minimizing attack surface, strongly isolating potentially hostile tenants, supporting consumer GPUs, and allowing parallel sharing of a single GPU between tenants. Containers and VirtualBox’s virtual GPU are not secure enough to protect against hostile workloads. VirGL, KVMGT, XenGT, and WebGL are all incredibly complex solutions with massive attack surface. AMD and NVIDIA already support GPU virtualization, but it is limited to costly enterprise cards and the NVIDIA solution requires proprietary drivers. Hyper-V GPU partitioning support is neither free software nor production ready. Finally, PCIe pass-through to a VM requires 1 GPU per tenant, which makes it insufficient for desktop partitioning solutions such as Qubes OS.

This workshop is a twofold challenge: First, determine if hostile multi-tenancy on a single commodity GPU can be implemented securely. If it can, figure out how; if it cannot, determine what would be needed from GPU vendors. The goal is to begin work towards a secure, capability-based GPU multiplexer that runs on commodity hardware and is agnostic to the specific CPU-side isolation mechanism, whether it be a microkernel, a hypervisor, or something else entirely.