Confidential Computing for Next-Gen Data Centers

Modern data centers have grown beyond CPU nodes to provide domain-specific accelerators such as GPUs and FPGAs to their customers. Customers are concerned about protecting their data and are willing to accept certain performance degradation for trusted execution environments (TEEs) like Intel SGX or AMD SEV. However, they face a trade-off between using accelerators for speed and CPU-based confidential computing solutions for security.

To bridge this gap, in this talk, we investigate the feasibility of enclaved execution across multi-tenant heterogeneous nodes, extending beyond TEE-enabled CPUs. While having wide-scale TEE support for accelerators seems a straightforward solution but is far from being a reality. Instead, our hybrid design provides enclaved execution guarantees for computation distributed over multiple CPU nodes and devices with and without TEE support. Our solution scales gracefully in two dimensions---it can handle many heterogeneous nodes and accommodate TEE-enabled devices as and when they are available in the future. We evaluate several real-world data center workloads and show the feasibility of such a system. We add custom TEE support to two accelerators: AI and storage and integrate it into our solution with low overhead, which shows that adding TEE support to existing accelerators is already feasible. Moreover, our end-to-end evaluation with both TEE and non-TEE nodes shows the feasibility of distributed trusted execution for future data centers.