About the Project

This project is a joint effort for enhancing data security and privacy for artificial intelligence (AI) and machine learning using TEEs (trusted execution environments).

Since CPUs are not that specialized for powering the AI, most of the AI efforts are primarily focused on utilizing GPUs or dedicated accelerators. Among them, I focused on securing the GPUs. This is because existing TEEs focus on protecting CPUs while peripherals are generally not yet being protected at that period. Only ARM TrustZone had limited efforts for protecting them by controlling the devices under exception level 3 (EL3).

I strived to protect the GPUs while not significantly trading off their performances. Existing efforts for securing GPUs with TEEs required some degree of modification of existing GPUs and/or the hardware stack, which I did not desire. Therefore I only tried to secure the device only using software modules. Modifying OP-TEE and TrustedFirmware-A, which are well-known wrapping TEEs for ARM TrustZone, I modified the software stack such that the GPU memory area could be accessed from the EL3, while modifying the driver on the kernel which runs on EL1 to allow it to communicate with the TEE. There were also security measures for EL1 since EL1 drivers cannot fully trusted. Based on Virgil's concept, I tried to implement security measures which allowed the GPU to confidentially communicate with EL3 while utilizing untrusted GPU drivers.

Contribution and Information

• Period of Contribution: 9/2020 ~ 8/2022
• Total Participants: around 6 people
• My Roles: contribution at implementing a GPU TEE