According to a Google blog post from 2017, Google has been experimenting with providing raw access to PCIe devices in a remote environment. They set out to discover what Access Control Service features (ACS, see section 4.3 of the Intel paper for more information) are necessary:
We discovered some curiosities. For instance, on one incorrect configuration, some undocumented debug registers on the switch were incorrectly exposed to downstream devices, which we discovered could cause serious malfunctioning of the switch under certain access patterns. If a device can cause out-of-spec behavior in the switch it’s connected to, it may be able to cause insecure routing, which would compromise the entire network. The value of fuzzing is its ability to find vulnerabilities in undocumented and undefined areas, outside the normal set of behaviors and operations defined in the spec. But by the end of the process, we had determined a minimum set of ACS features necessary to securely run GPUs in the cloud.
Emphasis mine. I would like to know which features these are. Has Google published them?
