AMD Helping Secure the GPUs That Advance AI

As GPUs dominate AI and machine learning workloads, security has become a critical priority.

The explosive growth of AI has fueled a booming market for data center GPUs. According to the Futurum Group, “The GPU market accounted for 74% of chipsets used in AI applications within data centers and is forecasted to grow by 30% CAGR over the next five years.” By 2028, the GPU market is projected to reach $102 billion, a sharp rise from $28 billion in 2023. This rapid expansion raises an important question: How secure are the GPUs powering our AI workloads?

Nathan Nadarajah, Senior Fellow and Security Architect at AMD, recently sat down with me to answer some questions about GPU security. In his two decades with the company, Nadarajah has worked on GPU drivers, GPU firmware and security firmware, and his expertise spans both the use of GPUs in enterprise data centers and in consumer gaming workstations.

Q: How have the challenges of GPU security changed over time?

Nadarajah: Early GPUs were designed with a focus on performance, especially for graphics and gaming. Security wasn’t a primary concern. In the early 2000s, GPUs began handling video decoding and post-processing for high-definition media like Blu-ray. Protecting valuable digital assets against unauthorized use introduced the need for security through digital rights management (DRM).

Next came the use of GPUs in data centers for cloud gaming, virtual desktop infrastructure (VDI), and high-performance computing. GPU virtualization became essential for sharing resources in multi-user environments and isolating workloads. AMD led the way as the first GPU vendor to support the PCIe virtualization standard, Single Root I/O Virtualization (SR-IOV).

With the rise of AI, GPUs became the go-to accelerators for these workloads. AI brought new security challenges, such as protecting AI models and safeguarding data processed within GPUs. In public cloud environments, workloads must be isolated to maintain data privacy and meet regulatory compliance.

Confidential computing has since emerged as a crucial solution. AMD Instinct™ accelerators are advancing GPU confidential computing capabilities, building on our expertise in virtualization. From gaming to digital rights management, data center virtualization, and now confidential AI, GPU security has become a first-class requirement.


Q: Why is confidentiality so important for AI applications?

Nadarajah: AI models represent a significant investment for corporations and developers, making them valuable assets. Protecting these models from theft, reverse engineering, and unauthorized modifications is critical. Ensuring the integrity of AI models and their operation is equally important.


Q: What are the top considerations in GPU security?

Nadarajah: Security starts with the foundations:

• Establishing a trusted execution environment by booting the device securely from power-on.
• Ensuring supply chain security to verify the authenticity of devices, and
• Adhering to industry standards and contributing to their development.

On this foundation, we build advanced capabilities such as workload isolation through virtualization and confidential computing to help protect workloads during execution.

Another key focus is assurance. At AMD, we implement a secure development lifecycle (SDL) from design to release. This includes threat modeling to anticipate potential attacks and building countermeasures during the design phase.


Q: What recommendations or tips do you have for people to maximize GPU security?

Nadarajah: Always follow security best practices.

1. Stay updated. Always use the latest drivers and firmware.
2. Follow configuration guides. For integrators, adhere to AMD published guidelines for secure systems.
3. Upgrade hardware. Newer GPUs typically offer advanced security features for both consumer and commercial applications.

Q: What does AMD do to address security challenges in GPUs?

Nadarajah: At AMD, we design security in from the ground up. Key technologies such as silicon Root of Trust, virtualization, and confidential computing are central to our strategy.

We’ve enhanced our security development lifecycle (SDL) practices with AMD company-wide threat modeling initiatives. By identifying and mitigating threats during design, we raise the security bar for our GPUs.

Transparency is another priority. We engage third-party reviewers through frameworks like Open Compute Project (OCP) S.A.F.E. to validate the robustness of our hardware and firmware against potential threats.


Q: Does all this security come with a cost to performance?

Nadarajah: Security isn’t free, but designing it alongside performance requirements can minimize trade-offs. Pre-silicon emulation and modeling help us optimize security without compromising performance.


Q: If there's one key takeaway on GPU security, what would it be?

Nadarajah: If you’re working with GPUs, adopt a curious mindset. Explore, experiment, and learn. Security is a journey, and there's no substitute for hands-on experience.

For more information about how AMD designs security into GPUs and its other products, visit https://www.amd.com/en/resources/product-security.html.