Modern data centers have grown beyond CPU nodes to provide domain-specific accelerators such as GPUs and FPGAs to their customers. From a security standpoint, cloud customers want to protect their data. They are willing to pay additional costs for trusted execution environments such as enclaves provided by Intel SGX and AMD SEV. Unfortunately, the customers have to make a critical choice -- either use domain-specific accelerators for speed or use CPU-based confidential computing solutions. To bridge this gap, we aim to enable data-center scale confidential computing that expands across CPUs and accelerators. We argue that having wide-scale TEE-support for accelerators presents a technically easier solution, but is far away from being a reality. Instead, our hybrid design provides enclaved execution guarantees for computation distributed over multiple CPU nodes and devices with/without TEE support. Our solution scales gracefully in two dimensions -- it can handle a large number of heterogeneous nodes and it can accommodate TEE-enabled devices as and when they are available in the future. We observe marginal overheads of $0.42$--$8\%$ on real-world AI data center workloads that are independent of the number of nodes in the data center. We add custom TEE support to two accelerators (AI and storage) and integrate it into our solution, thus demonstrating that it can cater to future TEE devices.

翻译：现代数据中心已经超越了 CPU 节点, 以向客户提供特定域加速器。 从安全角度看, 云端客户希望保护自己的数据。 他们愿意为英特尔 SGX 和 AMD SAEV 提供的飞地等信任的执行环境支付额外的费用。 不幸的是, 客户必须做出重要选择 -- -- 要么使用特定域加速器来加快速度, 要么使用基于 CPU 的机密计算解决方案。 为了缩小这一差距, 我们的目标是使数据中心规模的保密计算能够跨越CPU 和加速器。 我们争论说, 对加速器的大规模TE支持在技术上比较容易,但远没有成为现实。 相反,我们的混合设计提供了飞地执行保证,用于计算在多个CPU节点和装置上分布的计算,而没有TEE支持。 我们的解决方案在两个层面宽度范围内可以处理大量混合节点, 并且可以容纳TEE 驱动的装置, 当它们在未来可以使用的时候, 。 我们观察的是用于加速器加速器的边端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端端