Abstract: According to one embodiment, a system establishes a secure connection between a host system and a data processing (DP) accelerator over a bus, the secure connection including one or more data channels. The system transmits a first instruction from the host system to the DP accelerator over a command channel, the first instruction requesting the DP accelerator to perform a data preparation operation. The system receives a first request to read a first data from a first memory location of the host system from the DP accelerator over one data channel. In response to the request, the system transmits the first data to the DP accelerator over the data channel, where the first data is utilized for a computation or a configuration operation. The system transmits a second instruction from the host system to the DP accelerator over the command channel to perform the computation or the configuration operation.

Abstract: According to one embodiment, a DP accelerator includes one or more execution units (EUs) configured to perform data processing operations in response to an instruction received from a host system coupled over a bus. The DP accelerator includes a time unit (TU) coupled to the security unit to provide timestamp services. The DP accelerator includes a security unit (SU) configured to establish and maintain a secure channel with the host system to exchange commands and data associated with the data processing operations, where the security unit includes a secure storage area to store a private root key associated with the DP accelerator, where the private root key is utilized for authentication. The SU includes a random number generator to generate a random number, and a cryptographic engine to perform cryptographic operations on data exchanged with the host system over the bus using a session key derived based on the random number.

Abstract: According to one embodiment, in response to receiving a temporary public key (PK_d) from a data processing (DP) accelerator, a system generates a first nonce (nc) at the host system, where the DP accelerator is coupled to the host system over a bus. The system transmits a request to create a session key from the host system to the DP accelerator, the request including a host public key (PK_O) and the first nonce. The system receives a second nonce (ns) from the DP accelerator, where the second nonce is encrypted using the host public key and a temporary private key (SK_d) corresponding to the temporary public key. The system generates a first session key based on the first nonce and the second nonce, which is utilized to encrypt or decrypt subsequent data exchanges between the host system and the DP accelerator.

Abstract: Embodiments disclose systems and methods to broadcast a message among virtual DP accelerators (DPAs). In one embodiment, in response to receiving a broadcast instruction from an application via a communication switch, the broadcast instruction designating one or more virtual DP accelerators of a plurality of virtual DP accelerators to receive a broadcast message, a system encrypts the broadcast message based on a broadcast session key for a broadcast communication session. The system determines one or more public keys of one or more security key pairs each associated with one of the designated virtual DP accelerators. The system encrypts a plurality of the broadcast session key based on the determined one or more public keys. The system broadcasts the encrypted broadcast message, and the one or more encrypted broadcast session keys to the virtual DP accelerators.

Abstract: Embodiments disclose systems and methods of an operating system module for a data processing accelerator (DPA). The operating system module can schedule jobs and manage resources (e.g., computing units, memory, IO bandwidth) of the DPA. For one embodiment, a system receives a request, by a DPA, the request sent by an application to execute a data processing task. The system schedules, by an operating system module of the DPA, one or more commands based on one or more kernels to complete the data processing task. The system generates, by the operating system module of the DPA, a completion signal upon completion of the one or more scheduled commands. The system sends a result back to the application acknowledging completion of the one or more commands for the data processing task based on the completion signal.

Abstract: According to one embodiment, a system performs a secure boot using a security module such as a trusted platform module (TPM) of a host system. The system establishes a trusted execution environment (TEE) associated with one or more processors of the host system. The system launches a memory manager within the TEE, where the memory manager is configured to manage memory resources of a data processing (DP) accelerator coupled to the host system over a bus, including maintaining memory usage information of global memory of the DP accelerator. In response to a request received from an application running within the TEE for accessing a memory location of the DP accelerator, the system allows or denies the request based on the memory usage information.

Abstract: According to one embodiment, a broadcast request is received from a host that hosts an application that initiated a broadcast message to be broadcast to one or more DP accelerators of a plurality of DP accelerators coupled to the host, where the broadcast request includes one or more DP accelerator identifiers (IDs) identifying the one or more DP accelerators. A broadcast session key for a broadcast communication session to broadcast the broadcast message is received from the host. For each of the one or more DP accelerator IDs, a public key of a security key pair corresponding to the DP accelerator ID is identified. The broadcast message is encrypted using the broadcast session key. The broadcast session key is encrypted using the public key. The encrypted broadcast message and the encrypted broadcast session key are transmitted to a DP accelerator identified by the DP accelerator ID.

Abstract: According to one embodiment, a system receives, at a host channel manager (HCM) of a host system, a request from an application to establish a secure channel with a data processing (DP) accelerator, where the DP accelerator is coupled to the host system over a bus. In response to the request, the system generates a first session key for the secure channel based on a first private key of a first key pair associated with the HCM and a second public key of a second key pair associated with the DP accelerator. In response to a first data associated with the application to be sent to the DP accelerator, the system encrypts the first data using the first session key. The system then transmits the encrypted first data to the DP accelerator via the secure channel over the bus.

Abstract: According to one embodiment, a broadcast request is received from a host via a communication switch to broadcast a broadcast message to one or more DP accelerators, where the host hosts an application that initiated the broadcast request. The broadcast request includes a list of one or more public keys associated with one or more DP accelerators of a plurality of DP accelerators coupled to the communication switch. For each of the one or more DP accelerators associated with the public keys of the list, a session key for a broadcast session corresponding to the broadcast message is encrypted using one of the public key associated with the DP accelerator. The broadcast message is encrypted using the broadcast session key. The encrypted broadcast messages and the encrypted broadcast session keys are broadcast to the DP accelerators.

Abstract: According to one embodiment, a system receives, at a host system from a data processing (DP) accelerator, an accelerator identifier (ID) that uniquely identifies the DP accelerator), wherein the host system is coupled to the DP accelerator over a bus. The system transmits the accelerator ID to a predetermined trusted server over a network. The system receives a certificate from the predetermined trusted server over the network, the certificate certifying the DP accelerator. The system extracts a public root key (PK_RK) from the certificate for verification, the PK_RK corresponding to a private root key (SK_RK) associated with the DP accelerator. The system establishes a secure channel with the DP accelerator using the PK_RK based on the verification to exchange data securely between the host system and the DP accelerator.

Abstract: According to one embodiment, a system receives, at a runtime library executed within a trusted execution environment (TEE) of a host system, a request from an application to invoke a predetermined function to perform a predefined operation. In response to the request, the system identifies a kernel object associated with the predetermined function. The system verifies an executable image of the kernel object using a public key corresponding to a private key that was used to sign the executable image of the kernel object. In response to successfully the system verifies the executable image of the kernel object, transmitting the verified executable image of the kernel object to a data processing (DP) accelerator over a bus to be executed by the DP accelerator to perform the predefined operation.

Abstract: According to one embodiment, a DP accelerator includes one or more execution units (EUs) configured to perform data processing operations in response to an instruction received from a host system coupled over a bus. The DP accelerator includes a security unit (SU) configured to establish and maintain a secure channel with the host system to exchange commands and data associated with the data processing operations. The DP accelerator includes a time unit (TU) coupled to the security unit to provide timestamp services to the security unit, where the time unit includes a clock generator to generate clock signals locally without having to derive the clock signals from an external source. The TU includes a timestamp generator coupled to the clock generator to generate a timestamp based on the clock signals, and a power supply to provide power to the clock generator and the timestamp generator.

Abstract: According to one embodiment, a system receives, at a host system a public attestation key (PK_ATT) or a signed PK_ATT from a data processing (DP) accelerator over a bus. The system verifies the PK_ATT using a public root key (PK_RK) associated with the DP accelerator. In response to successfully verifying the PK_ATT, the system transmits a kernel identifier (ID) to the DP accelerator to request attesting a kernel object stored in the DP accelerator. In response to the system receives a kernel digest or a signed kernel digest corresponding to the kernel object form the DP accelerator, verifying the kernel digest using the PK_ATT. The system sends the verification results to the DP accelerator for the DP accelerator to access the kernel object based on the verification results.

Abstract: Embodiments disclosed systems and methods to broadcast a message to one or more virtual data processing (DP) accelerators. In response to receiving a broadcast instruction from an application, the broadcast instruction designating one or more virtual DP accelerators of a plurality of virtual DP accelerators to receive a broadcast message, the system encrypts the broadcast message based on a broadcast session key for a broadcast communication session. The system determines one or more public keys of one or more security key pairs each associated with one of the designated virtual DP accelerators. The system encrypts the broadcast session key based on the determined one or more public keys. The system broadcasts the encrypted broadcast message, and the one or more encrypted broadcast session keys to adjacent virtual DP accelerators for propagation.

Abstract: According to one embodiment, a data processing system performs a secure boot using a security module (e.g., a trusted platform module (TPM)) of a host system. The system verifies that an operating system (OS) and one or more drivers including an accelerator driver associated with a data processing (DP) accelerator is provided by a trusted source. The system launches the accelerator driver within the OS. The system generates a trusted execution environment (TEE) associated with one or more processors of the host system. The system launches an application and a runtime library within the TEE, where the application communicates with the DP accelerator via the runtime library and the accelerator driver.

Abstract: A host processing device (“host”) instructs a plurality of data processing (DP) accelerators to configure themselves for secure communications. The host generates an adjacency table of each of the plurality of DP accelerators (“DPAs”). The host is communicatively coupled to the plurality of DPAs via a switch. The host transmits, to the switch, a list of the DPAs and instructs the switch to generate an adjacency table of the DPAs that includes a unique identifier of each DPAs and a communication port of the switch associated with the DPA. The host establishes a session key communication with each DPA and sends the DPA a list of other DPAs that the DPA is to establish a session key with, for secure communications between the DPAs. The DPA establishes a different session key for each pair of the plurality of DPAs.

Abstract: A host processing device instructs a plurality of virtual data processing (VDP) accelerators, configured on each of a plurality of data processing accelerators. The VDP accelerators configure themselves for secure communications. The host device generates an adjacency table of each of the plurality of VDP accelerators. Then the host device then establishes a session key communication with each VDP accelerator and sends the VDP accelerator a list of other VDP accelerators that the VDP accelerator is to establish a session key with, for secure communications between the VDP accelerators. The VDP accelerator establishes a different session key for each pair of the plurality of VDP accelerators.

Abstract: A host processing device instructs a plurality of virtual data processing (VDP) accelerators, configured on each of a plurality of data processing accelerators. The VDP accelerators configure themselves for secure communications. The host device generates an adjacency table of each of the plurality of VDP accelerators. Then the host device then establishes a session key communication with each VDP accelerator and sends the VDP accelerator a list of other VDP accelerators that the VDP accelerator is to establish a session key with, for secure communications between the VDP accelerators. The VDP accelerator establishes a different session key for each pair of the plurality of VDP accelerators.

Abstract: A host processing device instructs a plurality of data processing (DP) accelerators to configure themselves for secure communications. The host device generates an adjacency table of each of the plurality of DP accelerators. Then the host device then establishes a session key communication with each DP accelerator and sends the DP accelerator a list of other DP accelerators that the DP accelerator is to establish a session key with, for secure communications between the DP accelerators. The DP accelerator establishes a different session key for each pair of the plurality of DP accelerators. When all DP accelerators have established a session key for communication with other DP accelerators, according to the respective list of other DP accelerators sent by the host device, then the host device can assign work tasks for performance by a plurality of DP accelerators, each communicating over a separately secured communication channel.

Abstract: Embodiments of the disclosure relate to configuring a watermark unit with watermark algorithms for artificial intelligence (AI) models for a data processing (DP) accelerator. In one embodiment, in response to a request received by a DP accelerator, the request, sent by an application, to apply a watermark algorithm to an AI model by the DP accelerator, a system determines that the watermark algorithm is not available at a watermark unit of the DP accelerator. The system sends a request for the watermark algorithm. The system receives the watermark algorithm by the DP accelerator. The system configures the watermark unit at runtime with the watermark algorithm for the watermark algorithm to be used by the DP accelerator.