Secure Exclaves

What is claimed is: 1 . A computing device, comprising: a sensor; and sensor processor circuitry coupled to the sensor and configured to: process sensor data received from a sensor of the computing device; in response to a first indication that a first consumer is trustworthy, provide a first data set of the processed sensor data to the first consumer; and in response to a second indication that a second consumer is untrustworthy, negotiate one or more conditions in which the second consumer is permitted to receive a second data set of the processed sensor data. 2 . The computing device of claim 1 , wherein the first indication identifies the first consumer as residing in a secure environment in which a set of security criteria is enforced for the first data set; and wherein the second indication identifies the second consumer as residing outside of the secure environment. 3 . The computing device of claim 2 , further comprising: one or more processors; and memory having program instructions stored therein that are executable by one or more processors to: implement a secure execution environment of the secure environment, wherein the first consumer is a first process executing within the secure execution environment, and wherein the second consumer is a second process executing external to the secure execution environment. 4 . The computing device of claim 2 , wherein the sensor processor circuitry includes: one or more configuration registers configured to: store configuration information controlling operation of the sensor, wherein the one or more configuration registers are addressable only by entities within the secure environment. 5 . The computing device of claim 1 , wherein the sensor processor circuitry is an image signal processor configured to process sensor data received from a camera. 6 . The computing device of claim 1 , wherein the sensor processor circuitry is an audio processor configured to process sensor data received from a microphone. 7 . The computing device of claim 1 , wherein the sensor processor circuitry is configured to: provide an indication that the sensor is active, wherein the one or more conditions include the sensor processor circuitry receiving confirmation that a user is being notified that the sensor is active. 8 . The computing device of claim 7 , further comprising: display pipeline circuitry configured to: in response to the provided indication, insert pixel data in a frame being presented on a display to notify the user is being notified that the sensor is active. 9 . The computing device of claim 1 , wherein the sensor processor circuitry is configured to: in response to determining to provide the second data set to the second consumer: periodically receive a heartbeat signal indicating that the one or more conditions have been satisfied; and discontinue providing the second data set in response to determining that the heartbeat signal is no longer being received. 10 . The computing device of claim 1 , wherein the sensor processor circuitry includes: a switch configured to: in response to the one or more conditions being violated, interrupt a data path through which the second data set is being provided to the second consumer. 11 . The computing device of claim 1 , wherein the sensor processor circuitry is configured to: power gate the sensor in response to determining that the one or more conditions have been violated. 12 . The computing device of claim 1 , wherein the sensor processor circuitry includes: a secure pipeline configured to: process sensor data to produce the first data set for the first consumer; and an unsecure pipeline configured to: process sensor data to produce the second data set for the second consumer. 13 . The computing device of claim 12 , wherein the sensor processor circuitry includes: an input-output memory management unit (IOMMU) configured to: store a first set of memory addresses designated as being accessible to the secure pipeline and a second set of memory addresses designated as being accessible to the unsecure pipeline; and restrict the secure pipeline from accessing memory addresses outside of the first set and the unsecure pipeline from accessing memory addresses outside of the second set. 14 . The computing device of claim 13 , wherein the memory addresses are stored as virtual to physical address translations. 15 . The computing device of claim 1 , wherein the sensor processor circuitry includes: a first direct memory access (DMA) engine configured to write the first data set to a portion of memory accessible to the first consumer; and a second DMA engine configured to write the second data to another portion of memory accessible to the second consumer. 16 . A method, comprising: processing, by sensor processor circuitry of a computing device, sensor data received from a sensor of the computing device; in response to a first indication that a first consumer resides in a secure environment, the sensor processor circuitry providing a first data set of the processed sensor data to the first consumer; and in response to a second indication that a second consumer resides outside of the secure environment, the sensor processor circuitry negotiating one or more conditions in which the second consumer is permitted to receive a second data set of the processed sensor data. 17 . The method of claim 16 , wherein the negotiated one or more conditions includes a condition that a user is notified about the sensor's use. 18 . An integrated circuit, comprising: one or more processors configured to: co-execute trusted processes and untrusted processes in an isolated manner that includes enforcing a set of security criteria; and sensor processor circuitry configured to: process sensor data received from a sensor; in response to a first indication that a first process is one of the trusted processes, provide a first data set of the processed sensor data to the first process; and in response to a second indication that a second process is one of the untrusted processes, restrict, based on one or more of the set of security criteria, access of the second process to a second data set of the processed sensor data. 19 . The integrated circuit of claim 18 , wherein the sensor processor circuitry includes: a secure pipeline configured to: process sensor data to produce the first data set for the first process; and an input-output memory management unit (IOMMU) configured to: store a set of memory addresses designated as being accessible to the secure pipeline; and restrict the secure pipeline from accessing memory addresses outside of the set. 20 . The integrated circuit of claim 18 , further comprising: user interface pipeline circuitry configured to: insert, into an output provided to a user interface, an indicator that the sensor is active; and wherein the sensor processor circuitry is configured to: based on the indicator satisfying one or more of the set of security criteria, grant the second process access to the second data set of the processed sensor data.