Invented by Mark Bradley Davis, Erez Izenberg, Robert Michael Johnson, Asif Khan, Islam Mohamed Hatem Abdulfattah Mohamed Atta, Nafea BShara, Christopher Joseph Pettey, Amazon Technologies Inc
The Amazon Technologies Inc invention works as followsMethods are disclosed to securely erase partitions of reconfigurable devices, such as FPGAs, in a server multi-tenant environment. In one example, a method of securely erasing an FPGA includes identifying one partition of previously-programmed resources in the FPGA, erasing the identified partition by storing new values in memory or storage elements of the identified partition, and storing new values in memory or storage elements of additional external resources electrically connected to the integrated circuit and associated with the identified partition. Other partitions or subsequent users of the identified part are thus prevented from accessing securely erased data. “A configuration circuit that is accessible via DMA by the host computer can be programmed in the FPGA reconfigurable logical for performing the disclosed erasing operation.
Background for Controlling access to previously stored logic in a reconfigurable logical device
Cloud computing is the usage of computing resources, including hardware and software, which are located in remote locations and can be accessed via a network such as the Internet. Some arrangements allow users to purchase computing resources, such as storage and processing power, on a demand basis. Cloud computing allows remote services to handle a user’s software, data and computation. Virtual computing resources offer a variety of benefits, including cost savings and the ability to quickly adapt to changing computing needs.
Some computations can also be accelerated by using a coprocessor. This includes accelerators that are implemented with reconfigurable logical (e.g. in a Field Programmable Gate Array, or FPGA). FPGA developers connect a host computer equipped with a specialized JTAG interface to external pins on a local FPGA to accelerate functions mapped onto the FPGA. “Using such accelerators within a cloud computing system, which lacks FPGA specialized hardware or security features, offers ample opportunities for improvement.
As a solution to providing specialized computing within a set reusable of general computing resources, a server computing platform with configurable logic can be provided (for example by supplying a server computing device with an add-in-card that includes a reconfigurable logical device such as a FPGA). Configurable logic refers to hardware that can be configured or programmed to perform logic functions specified by configuration data. A user of computing resources may provide a specification for configuring configurable logic (e.g. written in Verilog or SystemVerilog or VHDL), or another language (e.g. C++ or SystemC) in the form of a netlist created by a schematic capture program or a script. The configurable logic may be configured in accordance with the specification and then used to perform an action for the user. Allowing a user to access low-level hardware can introduce privacy and security issues in the computing facility. As reconfigurable devices and their associated components (e.g. memory and other circuits connected to reconfigurable devices) are typically used by multiple users in a cloud-based environment, the data stored on the devices and components shouldn’t be accessible to future users.
The disclosed technologies include techniques for isolating, clearing, and/or scrubbing data stored in reconfigurable devices, and associated additional resources. The disclosed technologies include methods for isolating and/or cleaning data in reconfigurable devices and additional resources.
As used in this document, the term “isolating” refers to configuring a portion of a reconfigurable logic device so as to logically separate a partition from other circuitry within the reconfigurable logic device. Refers to the configuration of a portion within a reconfigurable logical device to logically isolate a partition from circuitry in the reconfigurable logic device. Isolating a partition makes it inaccessible to other partitions within the reconfigurable device (e.g. other processes of a user host), as well as unauthorized access by other devices (e.g. other processes of a user host on a computer host) external to that reconfigurable device. Devices can be isolated, for example, by reprogramming the logic that connects a partition to other partitions in the device, reprogramming the interconnect or by asserting/de-asserting signals controlling interface circuits, such as tristate gates, multiplexers, pass gates and/or gate gates. In some cases, isolating configurations allow logic in other partitions to continue operating while a selected partition has been isolated, scrubbed, and cleared.
As used herein, ?clearing? Resetting values in memory or storage elements is done by using the reset functionality of the reconfigurable logical device. Clearing is achieved by applying a configuration to a port on an FPGA. The configuration bitstream will cause the FGPA’s configuration to be reset or in another known state, which prevents the access of previously stored data. In some cases, the configuration bitstream is used to reconfigure only a portion of reconfigurable hardware in the device. In some examples, a FPGA has reset functionality which can be activated by asserting the signals on the FPGA’s I/O. In some examples the act of clearing the reconfigurable device logic can be performed using a specialized bitstream and a partial reconfiguration. Partial reconfiguration allows logic partitions and user partitions to be maintained, as well as supervisor and host partitions. Multiple users can use different parts of a reconfigurable device at the same time. After they are done using their portion, these users can clear and scrub it. While logic is being removed from a partition, other logic and memory devices may continue to function normally.
As used in this document, the term “scrubbing” refers to performing a series of operations with a circuit to erase values stored in memory or storage. Refers to a series operations performed on a circuit in order to erase data stored in the memory or storage elements of the circuit. Data can be erased by writing random values or a set of known values, such as all zeroes or all ones or all of the same pattern (0xdeadbeef) to replace previously stored data in the circuit. In some examples, the scrubbing of the partition can be done by operating the specialized logic within the reconfigurable device and performing partial reconfiguration. Scrubber circuits can send known values to alternate inputs (e.g. data inputs or set/clear/reset inputs), such as latches or flip-flops. This will reset the stored values. Scrubber circuits can perform multiple writes to multiple addresses of a memory or use a set or reset pin to perform the function. The scrubber circuit can use a port on a memory with multiple read ports to write data values known over previously stored values. While logic in a selected partition is being cleaned, logic in other partitions, and their associated memory devices, can continue to function normally.
Typically, users or supervisors are not allowed to access their partitions when isolating the reconfigurable device. However, in some cases, supervisor partitions or user partitions may be configured so that they can have partial access during this action. Clearing and/or scrubbing only a portion or resources of the reconfigurable devices and/or associated resource allows user logic and memory to be maintained in any other user partitions as well as supervisor and host partitions. Multiple users can use different portions of the reconfigurable logic devices at the same time. These users can then have their partitions cleared and scrubbed once they are done using it, such as when terminating a user compute host instance.
As described in this document, a computing facility can include various computing resources. One of these computing resources is a server computer, also known as a host, which includes a configurable platform. A user of the computer can program or configure the configurable platform so that the hardware (e.g. the configurable intelligence) of the computing resources is customized by them. The user could, for example, program the configurable logic to function as a hardware acceleration that is tightly coupled with the server computer. The hardware accelerator, for example, can be accessed via the local interconnect of the server computer, such as an IEEE 802.3 connection or a PCI-Express (PCIe). A user can run an application on a server computer, and the hardware accelerator can perform tasks using PCIe transactions. The latency between the accelerator computer and the server can be reduced by tightly coupling the accelerator computer to the server. This can increase the speed of processing.
The compute service provider can manage computing resources by using software services for the configuration and operation. The compute service provider, for example, can implement a logic repository for ingesting hardware or logic designs of users, generating validated configuration data to configure the configurable platform based upon the application logic created for the user and downloading the configured data as a response to a configuration request for an instance of configurable logic platforms. Configuration data may include circuits to clear and scrub reconfigurable logic components and devices after the use of computer resources has been terminated. The user who developed the logic or the user with a license can request the download. Thus, logic design can be developed by a compute services provider, user, or third-party independent of the user or compute services provider. Users of a compute services provider can, for example, be given access to a marketplace that contains intellectual property (IP), and they can increase the speed of applications by choosing an accelerator in the marketplace.
FIG. FIG. 1 shows a diagram of a computing system 100 that includes a logic repository 110. This service manages configuration data which can be used to configure configurable compute resources. The logic repository service 110 is used to ingest host and application logic in an infrastructure of a computing services provider. It can also be used to generate configuration data from the ingested design, maintain a repository for the ingested design and generated configuration data and provide configuration data for configurable resources within compute resources 120.
The logic repository service can receive an API Request 130 for configuration data to be generated by a configurable platform, like configurable hardware 142 on a server computer. Typically, configurable hardware 142 consists of reprogrammable devices such as Field Programmable Gate Arrays, configurable programmable devices (CPLDs), programmable devices (PLDs), programmable memories (e.g. electrically erasable programmable Read Only Memory (EEPROM) and flash memory). In some examples, all or part of the configurable equipment is one-time programmable. In some examples the logic repository service is implemented entirely or partially using the server 140. In other examples the functionality is implemented by computer resources that are separate from the server.
The API request 130 may be initiated by a developer, or a partner user of ‘the compute services provider. The request 130 may include fields that specify data or metadata about a logic design, a configurable hardware platform (such as the source code for the hardware design), user information, permissions to access the service, and production status. It can also include additional fields that describe information about inputs, outputs and users of logic repository service 110. The request may include, for example, a description of a design, a production state (such a trial or production), the encrypted status of an input or output, a reference for a storage location (such as a source code for the hardware design), the type of input file, the instance type of configurable hardware and a reference for a storage location for an output file. The request can, for example, include a reference a hardware specification specifying application logic (132) to be implemented on the configurable platform. The host logic 134 that will be used by the compute services provider to control the operation of the application when programmed in the configurable hardware is received, for example, from the development team. The specification for the application logic and/or host logic can be a set of files such as source codes, netlists generated by logic synthesis tools, or placed and routed logic gate generated by place and route tools. The source code may be written in a register-transfer logic (RTL), HDL, Open Computing Language (OpenCL), or C.
The compute resources” 120 can include a variety of different types and categories of hardware and software. A resource’s instance type is a way to specify at least some of its hardware and software. Hardware resources include, for example, servers with CPUs of different performance levels, servers with or without coprocessors, servers with or without configurable logic, servers with memory and/or storage capacities and performance varying, and servers that have different levels of networking performance. Examples of software resources include operating systems, applications programs, and driver. A server computer 140 with a CPU 144 communicating with configurable hardware can be an example of a type of instance. The configurable hardware can be programmable such as an FPGA or a programmable logical array (PLA), and a programmable Array logic (PAL), or generic array logics (GAL) for example.
The logic repository 110 can generate configuration information 136 as a response to the API request 130. The generated configuration data can be based upon the application logic and host logic 134. The generated configuration data can contain information that is used to program the configurable hardware so that it can perform the functions specified in the application logic and host logic. The compute services provider, for example, can create the host logic including logic to interface between the CPU and configurable hardware. The host logic 134 could reduce the security and availability risk that the application logic 132 may introduce. In other cases, the application logic can directly communicate with the CPU 144 through an interface such as PCIe Ethernet Infiniband or another suitable interface.
Generating configuration data 136″ can include checking and/or testing the application 132 logic, integrating it into a wrapper logic 134, synthesizing and placing the logic, and/or routing and placing the logic.
Generating configuration data 136″ can include translating and/or compiling source code from the application logic and host logic 134 to data that can then be used to configure or program the configurable hardware. The logic repository service can, for example, integrate the application logic into a wrapper of host logic 134. The application logic can be included in a system that includes both the host logic and the application logic. The integrated system design may be synthesized using a logic-synthesis program to create a system design netlist. The netlist for the instance type specified in the system design can be routed and placed using a program called place and route. The designed placed and routed can be converted into configuration data 136, which can then be used to program configurable hardware 142. The configuration data 136, for example, can be output directly from the place-and-route program.
As an example, the generated data 136 may include a complete bitstream or a partial bitstream that can be used to configure all or part of the configurable logical of an FPGA. This includes isolating and clearing portions of the configurable Logic and Memory and other resources coupled to the integrated circuit containing the FPGA. The logic of an FPGA may be configurable or non-configurable. The configurable logic may include programmable blocks of combinational logic, look-up tables, sequential logic elements, such as latches or flip-flops, programmable clocking and routing resources, programmable RAMs (such a block and distributed random access memory), DSP bitslices (digital signal processing), and programmable pins. Configuration logic (e.g. a configuration port) can be used to load the bitstream into the on-chip memory of configurable logic. The values stored in the on-chip memory can be used to control configurable logic, so that it performs logic functions specified by the bitstream. The configurable logic may also be divided into regions or partitions that can be independently configured. A full bitstream could be used for configuring the configurable regions, while a partial bitstream could be used only to configure a portion. Partial bitstreams can be created for each portion of the FPGA, such as a host logic, first application logic, second application logic, etc. These partial bitstreams can then be downloaded and used independently to program different parts of an FPGA. As the partial bitstreams are independent, the user’s privacy is protected as the detailed knowledge of other parts of the FPGA does not need to be shared. Some examples allow for the encryption of some or all bitstreams. “The non-configurable logic may include macros which perform specific functions within the FPGA such as input/output (SERDES) and gigabit transceivers, analog-to digital converters, memory-control blocks, test-access ports, and configuration-logic for loading configuration data onto configurable logic.
The logic repository service 110 can store the generated configuration data 136 in a logic repository database 150. The logic repository database 150 can be stored on removable or non-removable media, including magnetic disks, direct-attached storage, network-attached storage (NAS), storage area networks (SAN), redundant arrays of independent disks (RAID), magnetic tapes or cassettes, CD-ROMs, DVDs, or any other medium which can be used to store information in a non-transitory way and which can be accessed by the logic repository service 110. Additionally, the logic repository service 110 can be used to store input files (such as the specifications for the application logic 132 and the host logic 134) and metadata about the logic designs and/or the users of the logic repository service 110. The generated configuration data 136 can be indexed by one or more properties such as a user identifier, an instance type or types, a marketplace identifier, a machine image identifier, and a configurable hardware identifier, for example.
The logic repository service can receive an API Request 160 to download configuration information. The request 160, for example, can be generated by a user when they launch or deploy a new instance within the compute resources (e.g. an?F1.small?” instance). The request 160 can be generated, for example, when a user of the compute resources 120 launches or deploys a new instance (e.g. an?F1.small? Another example is that the request 160 may be generated as a response to a query from an application running on an instance. It can be, for instance, requests for clearing and scrubbing reconfigurable code (e.g., by an application logic developer when testing and debugging a new application logic) or requests for terminating an instance. These requests initiate disclosed methods of isolating and cleaning selected portions within the reconfigurable code. The request 160 may include information such as a reference for the source or destination instance, the configuration data that is to be downloaded (e.g. an instance type, marketplace identifiers, machine image identifiers, or configurable hardware identifiers), a user ID, an authorization token and/or any other information necessary to identify the configuration to download and/or authorize access to the data. If the user who requests the configuration is authorized to view the configuration, then the configuration can be retrieved by the logic repository database. Validated configuration data 162 may be downloaded (e.g. Downloading a complete or partial bitstream to the requesting instance can be done (e.g. server computer 140). Validated configuration data 162 may be used to configure configurable logic in the destination instance.
Click here to view the patent on Google Patents.