benvanik
commented
4 years ago AMD's version is SEV (Secure Encrypted Virtualization), and looks to be better representative of the performance we want: https://arxiv.org/pdf/1903.04203.pdf https://caslab.csl.yale.edu/workshops/hasp2018/HASP18_a9-mofrad_slides.pdf
would be good to compare with ARM TrustZone - or find someone internally who has :P
allieculp
Intel SGX and a hypervisor-based VBS is exposed on windows via CreateEnclave. We should see what a command buffer implementation that could interface with these looks like, where DEVICE_LOCAL && !HOST_VISIBLE buffers can live entirely in the enclave, HOST_LOCAL buffers can be copied via iree_hal_command_buffer_copy_buffer into the enclave, and dispatches can be performed on executables loaded into the enclave.
This would be modeled as a unique HAL driver reusing the iree_hal_executable_library_t (#3580). If the enclave APIs exposed aren't good enough (don't interact well with threading, etc) we can implement the HAL driver within the enclave and run the thread pool in there, and then just marshal across command buffers. This is the approach that we can take as a fallback too for sandboxing/out-of-process execution, so it may net out to the same exact API.
Not sure what the ARM/RISCV story is here - that's the other thing to look into.