If H100 use SPDM mutual authentication?

In HCC-Whitepaper(https://images.nvidia.com/aem-dam/en-zz/Solutions/data-center/HCC-Whitepaper-v1.0.pdf), I found “GPU PF driver use SPDM for session establishment” in Figure 8 step 5.
I want to know if H100 use SPDM mutual authentication or not?
If it is indeed mutual authentication, what are the certificates of both parties?

Correct, the SPDM session is built between the GPU and the Driver in the CVM.

NVIDIA Certificates will be posted publicly shortly before our General Access on the web and will have chain-of-trust to our Root CA.

First, thanks for your reply!
I’m sorry to still not understand about it, as I’m a freshman to use nvidia GPU CC.

I found below in some nvidia pdf:
1)Certificate chain:
Nvidia-root cert => Model cert => Provisioner cert => Device cert => Attestation cert

2)“With the current flow, the first three levels of the HCC Device Certificate Chain are the same for all current devices that support CC. Therefore, these certificates are included as a part of the NVIDIA Kernel Driver”

3)Before a CVM uses the GPU, it must authenticate the GPU as genuine before including it in its trust boundary. It does this by retrieving a device identity certificate (signed with a device-unique ECC-384 key pair) from the device or calling the NVIDIA Device Identity Service

Accord to upper description, I’m confused.
Assume that the GPU is the server side, the nvidia driver in cvm is the client side, I think SPDM session is one-way authentication: Nvidia driver in cvm trust GPU, but GPU how to trust nvidia driver?

But the first question I ask if SPDM use mutual authentication, you said yes.
Did I understand it wrong or am I missing something important?

With SPDM, encrypted/signed traffic may flow both direction with a shared secret.

But the first question I ask if SPDM use mutual authentication,

No, the GPU does not authenticate the guest. In particular how would that work? Do you imagine the tenant going to, say, a cloud provider, and provisioning a public key into the GPU such that it would use that to authenticate the guest driver / VM during a remote confidential compute session?