Programmable integrated circuit configured as a remote trust anchor to support multitenancy

What is claimed is: 1. An integrated circuit, comprising: a static region; a first partial reconfiguration (PR) sandbox region configured using a first tenant workload; a second partial reconfiguration (PR) sandbox region configured using a second tenant workload; and a secure device management (SDM) circuit configured to: validate one or more configuration bitstreams comprising the first and second tenant workloads at the integrated circuit during runtime; and provide spatial isolation between the first and second PR sandbox regions by preventing the first and second tenant workloads from interfering with each other. 2. The integrated circuit of claim 1 , wherein the first tenant workload comprises a partial reconfiguration region mask that defines a scope of configuration, and wherein the first PR sandbox region is configured using the partial reconfiguration region mask. 3. The integrated circuit of claim 2 , wherein the partial reconfiguration region mask is implemented as a logic AND mask. 4. The integrated circuit of claim 2 , wherein the first tenant workload further comprises a partial reconfiguration persona mask that defines a content of configuration, and wherein the first PR sandbox region is further configured using the partial reconfiguration persona mask. 5. The integrated circuit of claim 4 , wherein the partial reconfiguration persona mask is implemented as a logic OR mask. 6. The integrated circuit of claim 1 , further comprising: programmable logic resources that are assigned to either the static region or one of the first and second PR sandbox regions. 7. The integrated circuit of claim 1 , further comprising: a routing connection coupling the first PR sandbox region to the second PR sandbox region, wherein the routing connection is assigned to either the static region or one of the first and second PR sandbox regions. 8. The integrated circuit of claim 1 , further comprising: a hard functional block that is assigned either to the static region or one of the first and second PR sandbox regions. 9. The integrated circuit of claim 8 , wherein the hard functional block comprises a block selected from the group consisting of: a random-access memory (RAM) block and a digital signal processing (DSP) block. 10. The integrated circuit of claim 1 , further comprising: an additional padding area that surrounds the first and second PR sandbox regions and that is configured to mitigate electrical interference between the first and second PR sandbox regions. 11. The integrated circuit of claim 1 , wherein the SDM circuit is further configured to provide temporal isolation between successive tenant workloads occupying the first and second PR sandbox regions. 12. The integrated circuit of claim 11 , wherein the SDM circuit ensures the temporal isolation by using a clearing persona to clear out residual data when changing tenant workloads at either the first or second PR sandbox regions. 13. The integrated circuit of claim 11 , wherein the SDM circuit ensures the temporal isolation by preventing the integrated circuit from entering a debug mode or returning back to a single-user operation. 14. The integrated circuit of claim 1 , wherein the first PR sandbox region has a first unique identifier, and wherein the second PR sandbox region has a second unique identifier. 15. The integrated circuit of claim 1 , wherein the SDM circuit is further configured to monitor usage status and statistics for the first and second PR sandbox regions. 16. A method of operating an integrated circuit, comprising: receiving a multitenancy mode sharing and allocation policy from a host platform provider; configuring a plurality of partial reconfiguration (PR) sandbox regions on the integrated circuit using a base static image in the received multitenancy mode sharing and allocation policy; and allocating resources of the integrated circuit among the plurality of PR sandbox regions using boundaries defined by the base static image to provide spatial isolation between the plurality of PR sandbox regions. 17. The method of claim 16 , further comprising: determining whether a prospective tenant is authorized using a verification certificate of the prospective tenant. 18. The method of claim 16 , further comprising: receiving a PR sandbox workload from a tenant; and checking the received PR sandbox workload against one or more terms in the multitenancy mode sharing and allocation policy. 19. The method of claim 18 , wherein checking the received PR sandbox workload against one or more terms in the multitenancy mode sharing and allocation policy comprises comparing a region mask in the PR sandbox workload of the tenant to a partial reconfiguration region whitelist in the multitenancy mode sharing and allocation policy. 20. The method of claim 18 , further comprising: after checking the received PR sandbox workload against one or more terms in the multitenancy mode sharing and allocation policy, loading a tenant persona into a selected one of the PR sandbox regions using a persona mask in the PR sandbox workload. 21. The method of claim 16 , further comprising: operating the integrated circuit in a multitenancy mode that ensures temporal isolation between tenants running on the plurality of PR sandbox regions on the integrated circuit by: determining whether a new tenant is replacing a prior tenant in a given one of the PR sandbox regions; and in response to determining that the new tenant is replacing the prior tenant in the given one of the PR sandbox regions, performing a safe unload operation by loading in a clear persona associated with the prior tenant and clearing residual data from the prior tenant. 22. A system, comprising: a cloud service provider configured to define a multitenancy mode contract; a programmable integrated circuit that is configured using a base static image in the multitenancy mode contract; and a tenant operable to receive device configuration information from a secure device manager running on the programmable integrated circuit and upload a tenant workload into a selected one of a plurality of partial reconfiguration regions on the programmable integrated circuit, wherein the secure device manager uses the multitenancy mode contract to determine whether the tenant is allowed to upload its tenant workload into the selected one of the plurality of partial reconfiguration regions.