Graviton: Trusted Execution Environments on GPUs

We propose Graviton, an architecture for supporting trusted execution environments on GPUs. Graviton enables applications to offload security- and performance-sensitive kernels and data to a GPU, and execute kernels in isolation from other code running on the GPU and all software on the host, including the GPU device driver, the operating system and the hypervisor. Graviton requires no changes to existing CPUs, GPU cores, or the GPU’s MMU and memory controller, and can be integrated into existing GPUs with relatively low hardware complexity. We also propose extensions to the GPU runtime for securely copying data and executing kernels on the GPU. We have implemented Graviton on off-the-shelf NVIDIA GPUs, using emulation for new hardware features. Our evaluation shows that overheads are low (17-33%) with encryption and decryption of traffic to/from the GPU being the main source of overheads.