How is the GPU-side attestation implemented? #79
Comments
|
Thank you! This talk relieves some of my concerns. Are there any more detailed docs about the specific attestation implementations on the GPU hardware? Unlike the usual CPU TEE attestation, I found it difficult for me to speculate (or imagine) how those operations are actually implemented or organized in GPU, e.g, a trusted CUDA kernel, a specialized library, or a piece of microcode. |
|
@zL1nX see https://forums.developer.nvidia.com/t/are-the-on-die-root-of-trust-and-sec2-security-microcontroller-physically-the-same-thing/307330 for roots of trust in the GPU.
For confidential compute the Requester and Responder are both implemented via libspdm. |
Thanks! @steven-bellock I didn't expect its implementation to have been provided in this repository 😆. It seems that there are still many things for me to figure out to piece together a complete attestation implementation for the GPUs . |
Thanks for this detailed repository about remote attestation on the host side for verification. However, there seems to be little information about how things are implemented on the device side. For example, I am wondering how the evidence is generated by the (H-100) GPU. Which component of the GPU conducts the signing operation? And how is SPDM communication handled in GPU?
I notice that there is a open-source SPDM implementation of Nvidia with both the requester and the responder involved. It it related to this repo or the above questions?
I read the docs and searched the web but there is no specific description about the operations or functions on the GPU side. I am not sure whether they are publicly available (Or I miss something). Thanks for any information in advance!
The text was updated successfully, but these errors were encountered: