I am currently investigating the Confidential Compute capabilities of the Hopper architecture and trying to understand the full attestation flow. Based on my understanding, the general attestation process works as follows:
- Generate a nonce.
- Request NVML/driver to generate an attestation report:
- NVML forwards the request to the driver.
- The driver requests the GSP to provide signed measurements via
libspdm_get_measurement_ex
- Request the GPU certificate from NVML/driver.
- Validate the GPU certificate chain (e.g., check OCSP, etc.).
- Verify the attestation report’s signature against the GPU certificate.
- Validate the measurements (driver + VBIOS) in the attestation report against the RIM manifest files.
From reviewing the attestation SDK source code at NVIDIA/nvtrust, it appears that the attestation report includes measurements for both the driver and VBIOS. I understand why and how VBIOS measurements would be included, as they come directly from the GPU, but it’s unclear to me on how the driver measurements would come from the GPU’s attestation report.
I initially assumed that the driver manifest contained simple hashes (or some derivative) of the NVIDIA kernel modules. However, after compiling and loading a modified kernel module (to investigate another area), I was surprised to find that RIM verification still passed. This led me to question how the driver measurements are generated.
Is there a step in the SPDM negotiation process that I may have overlooked? More specifically, what exactly (or even vaguely, if full disclosure isn’t possible) does the driver RIM manifest refer to? Additionally, is there any way to reproduce these measurements independently without querying the GPU?