Reference
Technical overviews
GPU Support in Edera

GPU Support in Edera

How do GPUs work with Edera?

Edera provides GPUs inside a zone with driver isolation, allowing the GPU driver to run outside of the host OS. GPUs in Edera can come from any vendor and follow standard GPU workflows. Support also extends to TPUs and DPU-style devices. Edera supports multiple GPU access methods, each with different requirements and tradeoffs:

GPU Partitioning

This is the most secure method for multi-tenant use cases. It creates subsections of GPU resources using supported hardware features (often referred to as Multi-instance GPUs) and passes them to the individual zones that need them.

Edera goes a step further than the base system by wiping subsets of GPU memory that are returned to the system, ensuring that data does not leak outside the GPU.

  • Requires an entire GPU (not already a partition).
  • Needs a hardware or paravirtualized IOMMU to isolate memory access.

Paravirtual GPUs

This is the most flexible method and works with any GPU configuration. It provides access via a virtual GPU interface (e.g., DRM/DRI card), proxying requests from the container zone to a driver zone.

All ioctl calls and memory mappings are securely forwarded. This method is ideal when only a portion of a GPU is available, and integrates seamlessly with CUDA and similar technologies without modification.

  • Similar in spirit to nvproxy (but more performant).
  • Does not require a hardware or paravirtualized IOMMU.
  • Memory pages are cleared after use to prevent tenant data leakage.

Whole GPU Passthrough

In this approach, an entire GPU is passed directly to a zone using standard hardware passthrough techniques.

  • Works with paravirtualized or hardware IOMMUs.
  • Useful in single-tenant or high-performance scenarios where partitioning isn’t desired.
  • Delivers full GPU access and isolation per workload.

What is a paravirtualized IOMMU?

Edera can provide a paravirtualized IOMMU to zones. This takes the host IOMMU and passes it through to paravirtualized zones, enabling restriction of device memory access where possible.

Note that this still requires a hardware IOMMU to be available on the root system. However, with a paravirtualized IOMMU, you can utilize paravirtual (non-hardware-virtualized) VMs with GPU devices while maintaining strong memory isolation guarantees.

Last updated on