Protected data accesses using remote copy operations

What is claimed is: 1. A computer-implemented method comprising: a network interface controller selectively transmitting a memory access request to a memory region from a first virtual execution environment of a first tenant as a remote direct memory access (RDMA) over a network by providing selective access to a cryptographic key for use by a memory controller to access the memory region; the network interface controller denying transmission of an RDMA access memory access request to the memory region from a second virtual execution environment of the first tenant based on the second virtual execution environment of the first tenant not having permission to access the memory region; and the network interface controller selectively transmitting a second memory access request to a second memory region from a first virtual execution environment of a second tenant as an RDMA over a network by providing selective access to a second cryptographic key for use by the memory controller to access the second memory region. 2. The method of claim 1 , wherein the network interface controller selectively transmitting the memory access request to the memory region from the first virtual execution environment of the first tenant as the RDMA over the network is based on one or more of: validation of a certificate received with the memory access request and an identifier of the first virtual execution environment associated with access to the memory region. 3. The method of claim 1 , wherein the network interface controller selectively transmitting the memory access request to the memory region from the first virtual execution environment of the first tenant as the RDMA over the network comprises permitting the first virtual execution environment of the first tenant to perform in the memory region one or more of: create, read, update, delete, write, or notify. 4. The method of claim 1 , wherein the memory region comprises a page or sub-page sized region. 5. The method of claim 1 , wherein the network interface controller selectively provides access to at least one sub-region of the memory region to the first virtual execution environment of the first tenant by providing selective access to at least one cryptographic key for use by the memory controller to access the at least one sub-region and the network interface controller selectively provides access to at least one other sub-region of the memory region to the first virtual execution environment of the second tenant by providing selective access to at least one cryptographic key for use by the memory controller to access the at least one other sub-region. 6. The method of claim 5 , wherein access rights associated with sub-regions of the memory region are associated with virtual execution environments of different tenants, and the access rights comprise one or more of: create, read, update, delete, write, or notify. 7. The method of claim 1 , wherein the memory access request comprises a write request and the memory access request is associated with received content and the memory controller is to apply the cryptographic key to encrypt content to write in the memory region. 8. The method of claim 1 , wherein the memory access request comprises a read request and the memory controller is to apply the cryptographic key to decrypt content in the memory region and provide the decrypted content for transmission using the network interface controller to a third memory region accessible to the first virtual execution environment of the first tenant. 9. The method of claim 1 , wherein RDMA is based on one or more of: InfiniBand, Internet Wide Area RDMA Protocol (iWARP), or RDMA over Converged Ethernet (ROCE). 10. The method of claim 1 , comprising: the network interface controller providing the first virtual execution environment of the first tenant with peer-to-peer memory access. 11. The method of claim 1 , wherein the cryptographic key comprises an total memory encryption (MKTME) key. 12. An apparatus comprising: a network interface controller comprising direct copy circuitry and circuitry, wherein the circuitry is configured to: receive a work request associated with a remote direct memory access (RDMA) operation, wherein the work request is associated with a first virtual execution environment of a first tenant; based on the work request being allowed to access a memory region, provide a key to a memory controller to perform cryptographic operation on content in the memory region to carry out the work request; receive a second work request associated with a RDMA operation, wherein the second work request is associated with a first virtual execution environment of a second tenant; based on the second work request being denied access to the memory region, deny access to the key and deny access to the memory region; receive a third work request associated with an RDMA operation to access the memory region, wherein the third work request is associated with a second virtual execution environment of the first tenant; and deny performance of the third work request based on the second virtual execution environment of the first tenant not having permission to access the memory region. 13. The apparatus of claim 12 , wherein the work request is allowed to access a memory region based on one or more of: validation of a certificate received with the work request and the work request being associated with a process associated with the memory region. 14. The apparatus of claim 12 , wherein access the memory region comprises one or more of: create, read, update, delete, write, or notify. 15. The apparatus of claim 12 , wherein access rights associated with sub-portions of the memory region are associated with virtual execution environments of different tenants, and the access rights comprise one or more of: create, read, update, delete, write, or notify. 16. The apparatus of claim 12 , comprising a computing node, wherein the computing node comprises at least one memory associated with the memory region and the memory controller to perform read or writes to the memory region. 17. The apparatus of claim 16 , wherein the work request comprises a write request and the work request is associated with received content and the memory controller is to apply a cryptographic key to encrypt content to write in the memory region. 18. The apparatus of claim 16 , wherein the work request comprises a read request and the memory controller is to apply a cryptographic key to decrypt content in the memory region, and provide the decrypted content for transmission using the network interface controller to a second memory region. 19. The apparatus of claim 12 , comprising one or more of: a server, data center, rack, computing node, an edge network element, or fog network element, wherein the server, the data center, the rack, the computing node, the edge network element, or the fog network element is to execute the first virtual execution environment of the first tenant. 20. The apparatus of claim 12 , wherein the circuitry is to perform authentication of a source of the work request to determine if a virtual execution environment that requested the work request is allowed to access the memory region.