Abstract: A multitenancy system that includes a host provider, a programmable device, and multiple tenants is provided. The host provider may publish a multitenancy mode sharing and allocation policy that includes a list of terms to which the programmable device and tenants can adhere. The programmable device may include a secure device manager configured to operate in a multitenancy mode to load a tenant persona into a given partial reconfiguration (PR) sandbox region on the programmable device. The secure device manager may be used to enforce spatial isolation between different PR sandbox regions and temporal isolation between successive tenants in one PR sandbox region.

Abstract: A computing platform comprising a plurality of disaggregated data center resources and an infrastructure processing unit (IPU), communicatively coupled to the plurality of resources, to compose a platform of the plurality of disaggregated data center resources for allocation of microservices cluster.

Abstract: Various systems and methods for implementing intent-based orchestration in heterogenous compute platforms are described herein. An orchestration system is configured to: receive, at the orchestration system, a workload request for a workload, the workload request including an intent-based service level objective (SLO); generate rules for resource allocation based on the workload request; generate a deployment plan using the rules for resource allocation and the intent-based SLO; deploy the workload using the deployment plan; monitor performance of the workload using real-time telemetry; and modify the rules for resource allocation and the deployment plan based on the real-time telemetry.

Abstract: Various systems and methods for implementing computational storage are described herein. An orchestrator system is configured to: receive, at the orchestrator system, a registration package, the registration package including function code, a logical location of input data for the function code, and an event trigger for the function code, the event trigger set to trigger in response to when the input data is modified; interface with a storage service, the storage service to monitor the logical location of the input data and notify a location service when the input data is modified; interface with the location service to obtain a physical location of the input data, the location service to resolve the physical location from the logical location of the input data; and configure the function code to execute near the input data.

Abstract: An apparatus to facilitate enabling secure state-clean during configuration of partial reconfiguration bitstreams on accelerator devices is disclosed. The apparatus includes a security engine to perform, as part of a PR configuration sequence for a new partial reconfiguration (PR) persona corresponding to a PR bitstream, a first clear operation to clear previously-set persona configuration bits in the region; perform, as part of the PR configuration sequence subsequent to the first clear operation, a set operation to set new persona configuration bits in the region; and perform, as part of the PR configuration sequence, a second clear operation to clear memory blocks of the region that became unfrozen subsequent to the set operation.

Abstract: An apparatus to facilitate enabling late-binding of security features via configuration security controller for accelerator devices is disclosed.

Abstract: Various systems and methods for implementing intent-based orchestration in heterogenous compute platforms are described herein. An orchestration system is configured to: receive, at the orchestration system, a workload request for a workload, the workload request including an intent-based service level objective (SLO); generate rules for resource allocation based on the workload request; generate a deployment plan using the rules for resource allocation and the intent-based SLO; deploy the workload using the deployment plan; monitor performance of the workload using real-time telemetry; and modify the rules for resource allocation and the deployment plan based on the real-time telemetry.

Abstract: An apparatus to facilitate enabling secure communication via attestation of multi-tenant configuration on accelerator devices is disclosed. The apparatus includes a processor to: verify a base bitstream of an accelerator device, the base bitstream published by a cloud service provider (CSP); generate a partial reconfiguration (PR) bitstream based on the base bitstream, the PR bitstream to fit within at least one PR region of PR boundary setups of the accelerator device; inspect accelerator device attestation received from a secure device manager (SDM) of the accelerator device; and responsive to successful inspection of the accelerator device attestation, provide the PR bitstream to the CSP for PR reconfiguration of the accelerator device.

Abstract: A computing platform comprising a plurality of disaggregated data center resources and an infrastructure processing unit (IPU), communicatively coupled to the plurality of resources, to compose a platform of the plurality of disaggregated data center resources for allocation of microservices cluster.

Abstract: A detection circuit includes a tunable delay circuit that generates a delayed signal and that receives a supply voltage. The detection circuit includes a control circuit that adjusts a delay provided by the tunable delay circuit to the delayed signal. The detection circuit includes a time-to-digital converter circuit that converts the delay provided by the tunable delay circuit to the delayed signal to a digital code and adjusts the digital code based on changes in the supply voltage. The control circuit causes the tunable delay circuit to maintain the delay provided to the delayed signal constant in response to the digital code reaching an alignment value. The detection circuit may continuously monitor timing margin of a data signal relative to a clock signal and update the digital code in every clock cycle. The detection circuit may be a security sensor that detects changes in the supply voltage.

Abstract: A multitenancy system that includes a host provider, a programmable device, and multiple tenants is provided. The host provider may publish a multitenancy mode sharing and allocation policy that includes a list of terms to which the programmable device and tenants can adhere. The programmable device may include a secure device manager configured to operate in a multitenancy mode to load a tenant persona into a given partial reconfiguration (PR) sandbox region on the programmable device. The secure device manager may be used to enforce spatial isolation between different PR sandbox regions and temporal isolation between successive tenants in one PR sandbox region.

Abstract: An apparatus to facilitate broadcast remote sealing for scalable trusted execution environment provisioning is disclosed. The apparatus includes a cloud service provider (CSP) execution platform comprising hardware circuitry for executing virtualized environments and comprising hardware accelerator devices, wherein the CSP execution platform to: authorize a tenant to deploy workloads of the tenant to CSP execution resources; provide a group status report to the tenant to inform the tenant of an existence and a status of a group of trusted execution platforms, wherein the group comprises at least one of the CSP execution resources; receive an encrypted workload of the tenant, wherein the encrypted workload is encrypted using a group public key of the group; store the encrypted workload at storage of the CSP execution platform; and dispatch the encrypted workload to the at least one of the CSP execution resources of the group.

Abstract: An integrated circuit device may include a programmable fabric die having programmable logic fabric and configuration memory that may configure the programmable logic fabric. The integrated circuit device may also include a base die that may provide fabric support circuitry, including memory and/or communication interfaces as well as compute elements that may also be application-specific. The memory in the base die may be directly accessed by the programmable fabric die using a low-latency, high capacity, and high bandwidth interface.

Abstract: A multitenancy system that includes a host provider, a programmable device, and multiple tenants is provided. The host provider may publish a multitenancy mode sharing and allocation policy that includes a list of terms to which the programmable device and tenants can adhere. The programmable device may include a secure device manager configured to operate in a multitenancy mode to load a tenant persona into a given partial reconfiguration (PR) sandbox region on the programmable device. The secure device manager may be used to enforce spatial isolation between different PR sandbox regions and temporal isolation between successive tenants in one PR sandbox region.

Abstract: An apparatus to facilitate enabling secure communication via attestation of multi-tenant configuration on accelerator devices is disclosed. The apparatus includes a processor to: verify a base bitstream of an accelerator device, the base bitstream published by a cloud service provider (CSP); generate a partial reconfiguration (PR) bitstream based on the base bitstream, the PR bitstream to fit within at least one PR region of PR boundary setups of the accelerator device; inspect accelerator device attestation received from a secure device manager (SDM) of the accelerator device; and responsive to successful inspection of the accelerator device attestation, provide the PR bitstream to the CSP for PR reconfiguration of the accelerator device.

Abstract: An apparatus to facilitate transparent network access controls for spatial accelerator device multi-tenancy is disclosed. The apparatus includes a secure device manager (SDM) to: establish a network-on-chip (NoC) communication path in the apparatus, the NoC communication path comprising a plurality of NoC nodes for ingress and egress of communications on the NoC communication path; for each NoC node of the NoC communication path, configure a programmable register of the NoC node to indicate a node group that the NoC node is assigned, the node group corresponding to a persona configured on the apparatus; determine whether a prefix of received data at the NoC node matches the node group indicated by the programmable register of the NoC; and responsive to determining that the prefix does not match the node group, discard the data from the NoC node.

Abstract: An apparatus to facilitate broadcast remote sealing for scalable trusted execution environment provisioning is disclosed. The apparatus includes a cloud service provider (CSP) execution platform comprising hardware circuitry for executing virtualized environments and comprising hardware accelerator devices, wherein the CSP execution platform to: authorize a tenant to deploy workloads of the tenant to CSP execution resources; provide a group status report to the tenant to inform the tenant of an existence and a status of a group of trusted execution platforms, wherein the group comprises at least one of the CSP execution resources; receive an encrypted workload of the tenant, wherein the encrypted workload is encrypted using a group public key of the group; store the encrypted workload at storage of the CSP execution platform; and dispatch the encrypted workload to the at least one of the CSP execution resources of the group.

Abstract: A voltage detection circuit includes a tunable delay circuit that receives a supply voltage and that generates a delayed signal in response to an input signal. A control circuit causes a first adjustment in a delay provided by the tunable delay circuit to the delayed signal. An error detection circuit generates an error indication in an error signal in response to a change in a timing of the delayed signal relative to a clock signal caused by the first adjustment in the delay provided to the delayed signal. The control circuit causes a second adjustment in the delay provided by the tunable delay circuit to the delayed signal in response to the error indication. The error detection circuit causes the error signal to be indicative of the supply voltage reaching a threshold voltage after the second adjustment in the delay.

Abstract: An apparatus to facilitate enabling late-binding of security features via configuration security controller for accelerator devices is disclosed.

Abstract: An apparatus to facilitate enabling secure communication via attestation of multi-tenant configuration on accelerator devices is disclosed. The apparatus includes a processor to: verify a base bitstream of an accelerator device, the base bitstream published by a cloud service provider (CSP); verify partial reconfiguration (PR) boundary setups and PR isolation of an accelerator device, the PR boundary setups and PR isolation published by the CSP; generate PR bitstream to fit within at least one PR region of the PR boundary setups of the accelerator device; inspect accelerator device attestation received from a secure device manager (SDM) of the accelerator device; and responsive to successful inspection of the accelerator device attestation, provide the PR bitstream to the CSP for PR reconfiguration of the accelerator device.