Introduction

Modelyo Pro offers a highly secure, confidential GPU-based cloud computing platform designed to protect sensitive data while leveraging cloud scalability. With a strong focus on meeting confidentiality requirements, Modelyo Pro allows organizations to process classified data securely in untrusted cloud environments. This document outlines the architecture, operational capabilities, security measures, deployment strategies, and success criteria for Modelyo Pro.

Architecture

Modelyo Pro comprises several components:

• GCP: Provides the physical infrastructure for executing user payloads. This infrastructure is equipped with GPUs and runs multiple virtual machines.
• Modelyo Pro Image: Deployed on a virtual machine which leverages Intel TDX for isolation and attestation. The GPUs attest to the TDX VM. During the attestation process, a shared secret key is established, which is used to create a secure communication channel between the GPU and the TDX VM.
• Modelyo Tool: A command-line utility that enables users to communicate with the rest of Modelyo Pro. During its first execution, the tool establishes trust with Modelyo Pro components and assumes ownership over them. During subsequent executions, the tool can be used to schedule docker containers for execution, performing input, output, and monitoring.
• Modelyo Certificate Authority (CA): Runs inside an SGX enclave. The TDX VM attests to the CA, and after a successful attestation, the CA issues certificates for them. Each communication channel is assigned with a server-side certificate and a client-side certificate.

Operation

Modelyo Pro’s operations are driven by the Modelyo tool, which manages cryptographic operations and container orchestration after initial attestation.

The process includes:

• Initial Attestation: Validates the CA and TDX VM through a two-step process to establish secure channels.
• Container Management: Allows users to load, create, run, stop, and delete containers remotely, with all interactions encrypted.
• Encryption and Cryptography: The CA serves as a key management service, providing symmetric keys for secure data processing.

Attestation

The attestation process is critical for establishing trust in Modelyo Pro. It involves validating the certificate authority in a trusted enclave and TDX virtual machines before enabling operations. The Modelyo tool performs this attestation, obtaining necessary certificates for secure communication.

The attestation procedure is performed in two steps:

1. CA Attestation:
   • The Modelyo tool requests the CA to provide a CPU-signed quote bound to the CA’s SSL certificate.
   • After validating the quote, the Modelyo tool stores the certificate, which is then used for all further communication between the tool and the CA.
   • Next, over the protected channel, the tool requests ownership of the CA. The CA will accept only the first such request; subsequent requests will be denied.
   • In response, the CA transmits client-side certificates to the tool, which are stored locally and are used in further communication between the tool and the CA. The CA will deny access from clients who fail to authenticate using an appropriate client-side certificate.
2. TDX VM Attestation:
   • After completing the CA attestation, the tool requests the public part of the TDX VM server-side certificate.
   • The tool uses this certificate to verify the SSL channel between the tool and the TDX VM.
   • Using this channel, the tool requests ownership of the TDX VM, which replies with the client-side certificates, which are stored locally and are used in further communication between the tool and the TDX VM.

The following command performs the attestation procedure:

$ modelyo attest

After running the command, the following files will be stored in the current directory:

File	Purpose	Channel
ca.pem	Server public key	Tool <-> CA
ca_client.pem	Client public key	Tool <-> CA
ca_client.key	Client private key	Tool <-> CA
tdx_ca.pem	Server public key	Tool <-> TDX VM
tdx_client.pem	Client public key	Tool <-> TDX VM
tdx_client.key	Client private key	Tool <-> TDX VM

Containers

Modelyo Pro supports remote container execution in isolated environments. Containers are securely loaded, created, and executed using the Modelyo tool, allowing efficient resource usage while ensuring data confidentiality. Docker-based container management facilitates streamlined operations across virtualized GPUs.

Modelyo Pro provides means for executing containers on a remote trusted environment. Before running the container, it must be built and exported. This can be done using the docker tool, for example:

$ docker build -t my_image . $ docker save my_image -o my_image.tar

These steps produce the my_image.tar file which contains all the layers needed to run the docker container. To run the docker container remotely, first its base image must be loaded using the docker load command:

$ modelyo docker load -f my_image.tar

After loading the image, a container can be created based on this image using the docker create command:

$ modelyo docker create -i my_image -n my_container

Next, the container can be scheduled for execution using the docker run command:

$ modelyo docker run my_container

Finally, the container can be stopped and removed using the docker stop and docker delete commands:

$ modelyo docker stop my_container $ modelyo docker delete my_container

Cryptography

Modelyo CA serves as a key management solution for encryption, generating keys during initialization and securing file transfers. This setup ensures that encryption/decryption requests from the containerized environment are managed in a secure enclave. The system supports directory-level encryption for storing files in untrusted environments.

Modelyo CA acts as a key management service, issuing symmetric keys for file encryption. This service is provided to the TDX VM in response to a successful attestation and to the Modelyo tool, which possesses the appropriate client-side certificate. The file encryption keys are derived from the master key, generated during the initialization of Modelyo CA.

Encrypting all files in a directory can be done using the encrypt command:

$ modelyo encrypt my_plain/ my_encrypted/

Decryption can be done using the decrypt command:

$ modelyo decrypt my_encrypted/ my_plain/

After encrypting the files, they can be stored in an untrusted storage. A typical operation mode of a docker container is:

1. Download an encrypted file from the untrusted storage
2. Decrypt the file
3. Process the plain file
4. Encrypt the result
5. Upload the encrypted result to the untrusted storage

After the files are processed, the results can be downloaded from the untrusted storage and decrypted using the Modelyo tool.

The docker container requests encryption and decryption of files using a pseudo file system available in each container scheduled in Modelyo Pro:

Path	Purpose
/modelyo/enc_in	File to be encrypted should be put here
/modelyo/enc_out	The encrypted file will appear here
/modelyo/dec_in	File to be decrypted should be put here
/modelyo/dec_out	The decrypted file will appear here

Security and Confidentiality

Modelyo Pro prioritizes confidentiality by leveraging SGX, TDX, and advanced attestation mechanisms to secure data across multiple stages of processing. The system enforces zero-trust principles, minimizing attack surfaces by reducing OS dependencies and isolating all operations at the hardware level. Key security components include:

• Trusted Enclave and TDX Integration: Provides a highly secure, hardware-backed encryption for data in use.
• Hardened Protocols: Enhances security beyond standard cloud provider solutions.
• Cross-Cloud Flexibility: Ensures high availability and redundancy by distributing workloads across trusted cloud infrastructures.

Usage Scenarios and Edge Capabilities

Modelyo’s edge capabilities allow for executing workloads in geographically distributed clouds while retaining high security. This model is ideal for industries with strict compliance requirements. The system offers flexible deployment options to support cross-cloud and air-gapped environments. Through a robust attestation process, Modelyo can enable trusted data processing in diverse settings.