This paper proposes SecureNPU, a hardware-software co-design framework for secure multi-tenant NPU sharing, leveraging hardware isolation primitives to provide confidentiality and integrity guarantees with minimal performance overhead.
Key findings
SecureNPU introduces mechanisms for spatial and temporal isolation of NPU resources.
Secure memory partitioning with configurable protection domains is proposed.
Side-channel resistant scheduling policies and hardware-assisted tenant attestation are included.
Preliminary analysis shows isolation guarantees comparable to CPU-based TEEs with less than 8% performance overhead.
Limitations & open questions
The framework's effectiveness in diverse real-world scenarios is yet to be fully validated.
The impact of security measures on memory bandwidth sensitivity requires further study.