I’m interested in figuring out if it’s possible to sign a message using the private key inside the GPU (the one used for attestation of hardware in confidential computing mode) without interrupting/restricting typical workloads by putting the GPU fully in cc mode (which seems to require a gpu reset, limits cpu<>gpu bandwidth, etc.)
I am curious to find out whether this is physically possible without modifications to the hardware, or whether the way the trusted computing environment is implemented in hardware would make this impossible. If it’s possible, I’m curious whether it could be done using the vanilla drivers, or if it would require modified drivers, or if it would require modified GPU firmware. (Also curious to understand how such a solution might work.)
If the answer to the above is that it’s not possible, then: suppose you were willing to sign messages in a way that could be interruptive (e.g. required putting the GPU into cc mode). Could this be achieved without requiring special configurations on the host side (e.g. BIOS modifications, CPU confidential computing support, etc.) if you were willing to modify the driver/firmware? It’s OK if other cc features wouldn’t work — I’m just interested in signing a message. If this is possible, what might that solution look like?
The use-case is e.g. ensuring that the gpu physically has not been swapped out in a cryptographically verifiable way, while avoiding difficult setup steps around cc-mode (including requirements for cpu-side confidential computing support) and gpu resets that would interrupt workloads. I’m also just curious about what is / is not possible in firmware.
The GPU could choose the structure/contents of the message almost entirely – there’d just need to be space for the caller to include a cryptographically-secure number of bits of its own choosing (to prevent pre-computation of all possible inputs / replay attacks)
I suppose one other requirement would be that the private key itself cannot be extracted via custom firmware — am hoping that’s the case!
The attack you’re describing, the swapping of GPUs or re-routing the data paths to GPUs mid-workload, is exactly what CC is designed to mitigate. If you are sufficiently concerned about those attacks then CC is the way to go.
Not much. All firmware that runs on the GPU must be NVIDIA-authored.
Thanks; it makes sense that this is what CC was designed to prevent.
I still am curious to know whether the hardware can in principle sign a message without requiring the difficult cc setup steps and gpu reset required to enter cc mode. I understand that as an end user I wouldn’t be able to create custom firmware, but I still do find myself curious about whether such a thing is possible in principle in software (or would it be impossible to implement without hardware changes, even for NVIDIA?)