System and method for providing secure access control to a graphics processing unit

What is claimed is: 1. A method for providing secure access control to a graphics processing unit, the method comprising: defining a plurality of security zones for controlling access to a graphics processing unit (GPU) over a common communication channel, the GPU comprising a plurality of GPU programming interfaces; assigning each of the security zones to a corresponding one of the plurality of GPU programming interfaces of the GPU, each of the GPU programming interfaces having a separate content queue; sending a communication over the common communication channel from a central processing unit (CPU) to the GPU; receiving at a content queue of one of the plurality of GPU programming interfaces the communication from the CPU, the communication comprising work orders issued by one or more applications associated with the corresponding security zone, the work orders comprising instructions to be executed by the GPU; selecting the work orders received by the content queue of the one of the plurality of GPU programming interfaces for execution; and controlling execution of the work orders using separate secure memory regions, each secure memory region allocated to one of the security zones and one of the plurality of GPU programming interfaces. 2. The method of claim 1 , wherein the work orders are injected by the CPU into the corresponding GPU programming interface according to the security zones. 3. The method of claim 2 , wherein the work orders are injected using a stream identifier that identifies the corresponding GPU programming interface. 4. The method of claim 1 , wherein the separate memory regions are allocated by a secure memory management unit. 5. The method of claim 4 , wherein one or more of the separate memory regions comprise an isolated address space with hardware-enforced protections using an associated context bank in the secure memory management unit. 6. The method of claim 5 , wherein the isolated address space is implemented via one or more of: a hypervisor software layer to manage two or more operating systems; and separation between trusted hardware and untrusted hardware. 7. The method of claim 1 , wherein two or more of the security zones are managed in parallel. 8. The method of claim 1 , wherein one or more of the security zones comprises a non-secure zone or a secure zone. 9. The method of claim 1 , wherein the one or more applications issuing the work orders comprise one or more of a content protection zone application, a content protection zone kernel associated with an operating system, a high level operating system kernel, and a trusted zone security monitor. 10. A system for providing secure access control to a graphics processing unit, the method comprising: means for defining a plurality of security zones for controlling access to a graphics processing unit (GPU) over a common communication channel, the GPU comprising a plurality of GPU programming interfaces; means for assigning each of the security zones to a corresponding one of the plurality of GPU programming interfaces of the GPU, each of the GPU programming interfaces having a separate content queue; means for sending a communication over the common communication channel from a central processing unit (CPU) to the GPU; means for receiving at a content queue of one of the plurality of GPU programming interfaces the communication from the CPU, the communication comprising work orders issued by one or more applications associated with the corresponding security zone, the work orders comprising instructions to be executed by the GPU; means for selecting the work orders received by the content queue of the one of the plurality of GPU programming interfaces for execution; and means for controlling execution of the work using separate secure memory regions, each secure memory region allocated to one of the security zones and one of the plurality of GPU programming interfaces. 11. The system of claim 10 , wherein the work orders are injected by the CPU into the corresponding GPU programming interface according to the security zones. 12. The system of claim 11 , wherein the work orders are injected using a stream identifier that identifies the corresponding GPU programming interface. 13. The system of claim 10 , wherein the separate memory regions are allocated by a secure memory management unit. 14. The system of claim 13 , wherein one or more of the separate memory regions comprise an isolated address space with hardware-enforced protections using an associated context bank in the secure memory management unit. 15. The system of claim 14 , wherein the isolated address space is implemented via one or more of: a hypervisor software layer to manage two or more operating systems; and separation between trusted hardware and untrusted hardware. 16. The system of claim 10 , wherein two or more of the security zones are managed in parallel. 17. The system of claim 10 , wherein one or more of the security zones comprises a non-secure zone or a secure zone. 18. The system of claim 10 , wherein the one or more applications issuing the work orders comprise one or more of a content protection zone application, a content protection zone kernel associated with an operating system, a high level operating system kernel, and a trusted zone security monitor. 19. A computer program for providing secure access control to a graphics processing unit, the computer program embodied in a non-transitory, tangible computer-readable medium containing computer readable program code for execution by a processor, the computer readable program code comprising logic configured to: define a plurality of security zones for controlling access to a graphics processing unit (GPU) over a common communication channel, the GPU comprising a plurality of GPU programming interfaces; assign each of the security zones to a corresponding one of the plurality of GPU programming interfaces of the GPU, each of the GPU programming interfaces having a separate content queue; send a communication over the common communication channel from a central processing unit (CPU) to the GPU; receive at a content queue of one of the plurality of GPU programming interfaces the communication from the CPU, the communication comprising work orders issued by one or more applications associated with the corresponding security zone, the work orders comprising instructions to be executed by the GPU; select the work orders received by the content queue of the one of the plurality of GPU programming interfaces for execution; and control execution of the work orders using separate secure memory regions, each secure memory region allocated to one of the security zones and one of the plurality of GPU programming interfaces. 20. The computer program of claim 19 , wherein the work orders are injected by the CPU into the corresponding GPU programming interface according to the security zones. 21. The computer program of claim 20 , wherein the work orders are injected using a stream identifier that identifies the corresponding GPU programming interface. 22. The computer program of claim 19 , wherein the separate memory regions are allocated by a secure memory management unit. 23. The computer program of claim 22 , wherein one or more of the separate memory regions comprise an isolated address space with hardware-enforced protections using an associated context bank in the secure memory management unit. 24. The computer prog