Intel® Confidential Compute for PyTorch*

This offer delivers the necessary tools to build a confidential compute image for PyTorch. The resulting image can be used for privacy preserving machine learning applications based on PyTorch. The image can be started on any Azure machine supporting Intel® SGX – a Confidential Computing solution. Without impacting the functionality of PyTorch, this offer uses Confidential Computing to bring the following security benefits to PyTorch:

• Data protection:
All input data and models are encrypted on disk, they are encrypted in the main memory, they are encrypted on the bus to the CPU, and hardware-based access controls only permit PyTorch to access plaintext data inside the CPU.

• Application Isolation:
No other software on the system, e.g., the operating system, hypervisor, and firmware, have access to the processed data. Physical attacks, e.g., cold-boot attacks on RAM, are also mitigated as an attacker would only get access to encrypted data.

• Attestation:
The attestation feature can be used to prove to a third party that the expected PyTorch application code and data is running, the software is executed on specific Confidential Computing hardware, and the hardware is patched to a specific level.

• Strict Trust Boundaries:
The protections offered by Confidential Computing significantly reduce the attack surface for internal and external attackers. Not even the cloud provider can get access to the stored and processed data.

This offer uses the open-source project Gramine to convert an unprotected PyTorch image into an SGX-protected image. In general, Gramine can convert unmodified applications to SGX-protected applications, without the toll of manually porting the application to the SGX environment. Multiple offerings for Intel-curated confidential compute applications are available in the Azure marketplace that are protected by Gramine. Besides these prepared applications, Gramine can be used to easily convert dockerized applications to SGX-protected applications. With minor effort, any regular Linux application can be protected by Gramine.

Click on the “Get It Now” button on this website to build and run a gramine-protected version of the PyTorch docker image in 15 minutes.