Confidential verification of FPGA code

The invention claimed is: 1. An apparatus for encrypting code for an accelerator, the apparatus comprising: one or more electronic memory to store the code received from a user computing device, a code encryption key, and a policy; and a policy trusted execution environment (TEE) configured to: receive the policy from a cloud service provider (CSP) computing device, wherein the policy includes a plurality of policy requirements used to determine whether to configure the accelerator using the code, wherein the policy includes a timing requirement that includes limiting the code from creating at least one of timing loops or ring oscillators; receive the code and the code encryption key from the user computing device; determine whether the code fulfills the plurality of policy requirements; encrypt and integrity protect the code using the code encryption key based on a determination that the code fulfills the plurality of policy requirements; and provide the encrypted and integrity protected code to an accelerator loader to configure the accelerator using the code based on a determination that the code fulfills the plurality of policy requirement, the accelerator loader to (i) utilize a public key received from the CSP to determine if a signature of the encrypted and integrity protected code is valid, and (ii) decrypt and load the encrypted and integrity protected code in the accelerator if the signature is valid. 2. The apparatus of claim 1 , wherein the policy includes at least one of a slot limitation that defines a set of resources on the accelerator to which the code has access, an amount of accelerator resources the code is allowed to use, a physical bounding box for the code to utilize, and an amount of power that the code is allowed consume. 3. The apparatus of claim 1 , wherein the policy includes at least one of: lookup tables (LUTs) limitations; memory region limitations; and input/output limitations. 4. The apparatus of claim 3 , wherein the policy includes at least one of: configuration patterns limitations; logical function limitations; maximum clock frequency limitations; and maximum power consumption limitations that are based on one of estimation, simulation, and test executions. 5. The apparatus of claim 1 , wherein the policy TEE is further to: if the code fulfills the plurality of policy requirements, sign the encrypted and integrity protected code using a private signing key provided by the CSP computing device; and if the code does not fulfill the plurality of policy requirements, abstain from signing the encrypted and integrity protected code. 6. The apparatus of claim 1 , wherein the policy TEE is further to, when the code does not fulfill the plurality of policy requirements, notify the user computing device that the code does not fulfill the plurality of policy requirements. 7. The apparatus of claim 1 , wherein the policy TEE is further to perform an attestation procedure with the CSP computing device to ensure enforcement of the policy based on the determination whether the code fulfills the plurality of policy requirements. 8. The apparatus of claim 7 , wherein the policy TEE is further to establish a secure connection with the CSP computing device. 9. The apparatus of claim 8 , wherein the policy and a private signing key are received via the secure connection with the CSP computing device. 10. The apparatus of claim 9 , wherein a signing key is generated by the policy TEE and a public portion of the signing key is provided to the CSP computing device. 11. The apparatus of claim 8 , wherein the policy TEE is further to establish the secure connection are further configured to establish the secure connection using a sigma protocol or a Diffie-Hellman protocol. 12. The apparatus of claim 8 , wherein the policy TEE is further to encrypt and authenticate messages transferred utilizing the secure connection. 13. The apparatus of claim 12 , wherein encryption and authentication are performed using an advanced encryption standard in galois/counter mode (AES-GCM). 14. The apparatus of claim 1 , wherein the policy TEE is further to perform an attestation procedure with the user computing device to ensure that the code and the code encryption key will not be released to the CSP computing device. 15. The apparatus of claim 14 , wherein the policy TEE is further to perform attestation are also configured to establish a secure connection with the user computing device. 16. The apparatus of claim 15 , wherein the code is received via the secure connection with the user computing device. 17. The apparatus of claim 15 , wherein the policy TEE is further to establish the secure connection using one of a sigma protocol and a Diffie-Hellman protocol. 18. The apparatus of claim 15 , wherein the policy TEE is further to encrypt and authenticate messages transferred utilizing the secure connection. 19. The apparatus of claim 14 , wherein the policy TEE is further to receive the code and the code encryption key from the user computing device. 20. The apparatus of claim 1 , wherein the policy TEE is an SGX enclave. 21. The apparatus of claim 1 , wherein the accelerator is at least one of a field programmable gate array (FPGA), a graphics accelerator, a graphical processing unit, and a machine learning accelerator. 22. A computer-readable storage medium comprising instructions that, when implemented by a field programmable gate array (FPGA) loader, cause the FPGA loader to at least: store code received from a user computing device, a code encryption key, and a policy; receive the policy from a cloud service provider (CSP) computing device, wherein the policy includes a plurality of policy requirements used to determine whether to configure an accelerator using the code, wherein the policy includes a timing requirement that includes limiting the code from creating at least one of timing loops or ring oscillators; receive the code and the code encryption key from the user computing device; determine whether the code fulfills the plurality of policy requirements; encrypt and integrity protect the code using the code encryption key based on a determination that the code fulfills the plurality of policy requirements; and provide the encrypted and integrity protected code to an accelerator loader to configure the accelerator using the code based on a determination that the code fulfills the plurality of policy requirement, the accelerator loader to (i) utilize a public key received from the CSP to determine if a signature of the encrypted and integrity protected code is valid, and (ii) decrypt and load the encrypted and integrity protected code in the accelerator if the signature is valid. 23. The computer-readable storage medium of claim 22 , wherein the policy includes at least one of a slot limitation that defines a set of resources on the accelerator to which the code has access, an amount of accelerator resources the code is allowed to use, a physical bounding box for the code to utilize, and an amount of power that the code is allowed consume. 24. The computer-readable storage medium of claim 23 , wherein the policy includes at least one of: lookup tables (LUTs) limitations; memory region limitations; and input/output limitations. 25. The computer-readable storage medium of claim 24 , wherein the policy includes at least one of: configuration patterns limitations; logical function