Peripheral device

The invention claimed is: 1. A peripheral device for use with a host computing device, the peripheral device comprising: one or more compute elements; a security module configured while running in a non-secure mode to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code by switching from running in the non-secure mode to running in a secure mode, wherein the sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device; at least one encryption unit configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device; the security module configured to compute and send an attestation to the trusted computing entity to attest that the sensitive code is in the trusted execution environment. 2. The peripheral device of claim 1 wherein the security module is configured to form the trusted execution environment by switching the peripheral device from the non-secure mode in which access to memory and registers of the peripheral device is possible, into the secure mode in which access to specified memory and specified registers of the peripheral device is disabled. 3. The peripheral device of claim 1 wherein the security module is configured to form the trusted execution environment by switching the peripheral device from the non-secure mode in which access to memory and registers of the peripheral device via a linear address space is possible, into the secure mode in which access to specified memory and specified registers of the peripheral device via the linear address space is disabled. 4. The peripheral device of claim 1 wherein the security module is configured to form the trusted execution environment by switching the peripheral device from the non-secure mode in which access to particular memory or particular registers of the peripheral device is possible, into the secure mode in which access to the Particular memory or the particular registers of the peripheral device is disabled. 5. The peripheral device of claim 1 wherein the security module is configured such that, when the peripheral device is in the secure mode, if a request is received from the host for a quote, the security module computes and returns the quote capturing security critical properties of the peripheral device to the host. 6. The peripheral device of claim 1 wherein the security module is configured to compute the attestation by computing a quote which is a hash of: the security module and additionally zero or more of: a debugging mode, a host access flag, a hash of a fresh data encryption key generated by the security module and encrypted using a public key of the trusted computing entity. 7. The peripheral device of claim 1 wherein the security module is configured to compute the attestation by computing a quote comprising a certificate which follows a certificate chain comprising: a quote signed using an attestation key, an attestation key certificate signed by an endorsement key, an endorsement key certificate signed using a root key, a self-signed root endorsement key issuing certificate. 8. The peripheral device of claim 1 wherein the encryption unit comprises a key store, a buffer and an encryption/decryption component. 9. The peripheral device of claim 1 wherein the buffer is configured to intercept and buffer direct memory access requests and responses sent between the trusted execution environment and the host. 10. The peripheral device of claim 9 wherein the buffer is configured to, when it intercepts a direct memory access write request, to extract an initialization vector from the direct memory access write request and use the initialization vector to retrieve an encryption key from the key store. 11. The peripheral device of claim 10 wherein the buffer is configured to route a payload of the direct memory access write request, together with the initialization vector and the retrieved encryption key, to an encryption/decryption component. 12. The peripheral device of claim 1 formed as a package wherein the security module is on-die with the one or more compute elements, or off a die of the one or more compute elements. 13. The peripheral device of claim 1 formed as a plurality of connected packages. 14. The peripheral device of claim 1 wherein the encryption unit has a plurality of keys so as to encrypt different data streams with different keys, and where the encryption unit is provisioned with the plurality of keys using a key exchange process. 15. The peripheral device of claim 14 wherein the security module is configured to isolate resources of the peripheral device to create secure channels on the peripheral device, and where different encryption keys are used for different secure channels. 16. The peripheral device of claim 14 wherein the security module is configured to compute, as part of the key exchange process, a quote containing a measurement of a plurality of public keys, the public keys having been specified by the host computing device. 17. The peripheral device of claim 16 wherein the security module is configured to received encrypted private keys from an entity which has verified the quote. 18. The peripheral device of claim 1 wherein the at least one encryption unit and the trusted computing entity are configured to use an encryption protocol which encrypts blocks of data, each block being encrypted using a pair comprising a key and an initialization vector, and where the encryption unit and the trusted computing entity agree to use each initialization vector only once with a given key; and wherein the initialization vectors are computed from a parameterized function known to the encryption unit and the trusted computing entity. 19. A peripheral device for use with a host computing device, the peripheral device comprising: one or more compute elements; a security module configured while running in a non-secure mode to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code by switching from running in the non-secure mode to running in a secure mode, wherein the sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device; at least one encryption unit configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via the host computing device; the encryption unit configured to use an encryption protocol where initialization vectors are computed from a parameterized function known to the encryption unit and the trusted computing entity. 20. A data center comprising: a plurality of compute nodes, each compute node comprising a host computing device having at least one peripheral device, the peripheral device comprising: one or more compute elements; a security module configured while running in a non-secure mode to form a trusted execution environment on the peripheral device for processing sensitive data using sensitive code by switching from running in the non-secure mode to running in a secure mode, wherein the sensitive data and sensitive code are provided by a trusted computing entity which is in communication with the host computing device; at least one encryption unit configured to encrypt and decrypt data transferred between the trusted execution environment and the trusted computing entity via