Skip to main content

Overview

io.net provisioned Confidential Compute VMs are equipped with NVIDIA H200 GPUs featuring hardware-based confidential computing capabilities. This guide shows you how to verify that your GPUs are genuine NVIDIA hardware with confidential computing features properly enabled.

Key Takeaways

  • Understand why GPU verification is essential for confidential computing.
  • Learn how to confirm GPU authenticity using cryptographic attestation.
  • Follow clear, step-by-step instructions to run verification on your VM.

Prerequisites

  • SSH access to your Confidential Compute VM
  • Python 3.7 or later (pre-installed on your VM)
  • Basic command line understanding
  • 5 minutes to perform the initial set up

Why does GPU verification matter?

Trust, but Verify

When running sensitive workloads on Confidential Computing (CC) infrastructure, it is not enough to rely on a provider’s assurances. You need cryptographic proof that the hardware is authentic, correctly configured, and operating in a secure state. GPU attestation provides independent verification that:
  • The GPUs are genuine NVIDIA hardware - not counterfeit, emulated, or misrepresented.
  • Firmware is intact and unmodified - ensuring no tampering with GPU software or drivers.
  • Confidential computing features are enabled - confirming that CC mode is active and functioning properly.
  • Hardware measurements match expected “golden” values - validating that the GPU’s state aligns with NVIDIA’s reference integrity manifests.

Security and Compliance

GPU attestation is a foundational security mechanism for confidential computing environments. It helps ensure:
  • Zero-trust architecture - trust no component by default, verify every claim cryptographically.
  • Regulatory and compliance adherence - meet requirements that mandate hardware verification.
  • Data protection - guarantee that sensitive workloads run only on validated, trustworthy hardware.
  • Clear auditability - produce cryptographic evidence for stakeholders, security teams, and auditors.

How It Works

Attestation relies on cryptographic proofs that cannot be falsified, forged or altered. The verification process follows a clear chain of checks: 
Your VM → Collect GPU Evidence → Verify Certificates
                                → Check Measurements
                                → Validate Signatures
                                → Result: Verified or Check Failed
What gets verified: During attestation, the following elements are validated:
  • A four-level GPU certificate chain, traced back to the NVIDIA Root Certificate Authority.
  • Certificate revocation status, checked via OCSP to ensure no certificates have been revoked.
  • Driver firmware measurements, consisting of 64 SHA-384 cryptographic hashes.
  • VBIOS firmware measurements, consisting of 64 SHA-384 cryptographic hashes.
  • Digital signatures on all attestation evidence, ensuring integrity and authenticity.

What is GPU Attestation?

Cryptographic Proof of Authenticity

GPU attestation is a cryptographic verification process rooted in hardware-based trust. It provides verifiable proof that a GPU is authentic, securely configured, and operating in a trusted state. Specifically, it validates four core properties:
Every NVIDIA GPU that supports Confidential Computing includes:
  • A unique hardware identity permanently embedded in silicon during manufacturing.
  • A certificate chain signed by NVIDIA’s Root Certificate Authority.
  • Cryptographic keys stored in tamper-resistant hardware.
What this proves:
The GPU is genuine NVIDIA hardware, produced by NVIDIA, and not counterfeit or emulated.

Official NVIDIA Technology

GPU attestation is performed using NVIDIA’s official tooling:
  • Package: nv-attestation-sdk (official NVIDIA Python SDK)
  • Source: PyPI (Python Package Index)
  • Version: 2.6.3 (as of December 2025)
  • License: Apache 2.0
  • Repository: https://github.com/NVIDIA/nvtrust
This is not a third-party tool. It is NVIDIA’s production-ready attestation framework, used by enterprise customers worldwide.

Standards-Based Approach

NVIDIA GPU attestation is built on widely adopted industry standards:
  • SPDM (Security Protocol and Data Model): Version 1.1 for device authentication.
  • X.509 PKI: Standard public key infrastructure for certificates.
  • OCSP: Online Certificate Status Protocol for revocation checks.
  • TCG standards: Trusted Computing Group measurement and attestation specifications.

Quick Reference

One-time setup (approximately 2–3 minutes): 
mkdir -p ~/gpu-verification && cd ~/gpu-verification
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install nv-attestation-sdk
# Create the verify_gpu.py script (refer to Step 5 of the GPU Attestation and Verification Guide)
Run verification (approximately 30 seconds): 
cd ~/gpu-verification
source venv/bin/activate
python3 verify_gpu.py
Successful verification output: 
✅ VERIFICATION SUCCESSFUL
This system has X genuine NVIDIA GPU(s)
with Confidential Computing features enabled and operational.
For a more comprehensive guide for verifying your Confidential Compute VM, refer to the GPU Attestation and Verification Guide.

Key Points

  • Official NVIDIA tooling - uses the NVIDIA-provided nv-attestation-sdk.
  • Cryptographic assurance - verification cannot be forged or bypassed.
  • Comprehensive validation - certificates, firmware measurements, and signatures are all verified.
  • Fast execution - completes in approximately 30 seconds after initial setup.
  • Self-contained operation - runs entirely within the virtual machine without external accounts.

Next Steps

  1. Complete the one-time setup.
  2. Run GPU verification on the virtual machine.
  3. Integrate verification into the security or deployment workflow.
  4. Perform verification before processing sensitive workloads.
  5. Contact support if verification fails.

FAQs

Recommended frequency:
  • Daily: Before processing sensitive or regulated workloads.
  • After system changes: Following any reboot, update, or migration.
  • Initial provisioning: When the virtual machine is first received.
  • Compliance requirements: As dictated by organizational security policies.
Why regular verification is important:
  • Detects firmware tampering or unauthorized modification.
  • Confirms that Confidential Computing features remain enabled after updates.
  • Provides a verifiable audit trail for compliance and governance.
Yes. Verification can be integrated into startup or pre-workload scripts.
#!/bin/bash
# Example: Run verification before starting an application

cd ~/gpu-verification
source venv/bin/activate
python3 verify_gpu.py

if [ $? -eq 0 ]; then
    echo "✅ Verification passed. Starting workload."
    # Insert application startup commands here
else
    echo "❌ Verification failed. Aborting startup."
    exit 1
fi
No. Verification:
  • Runs independently of GPU compute workloads.
  • Typically completes within 30–60 seconds.
  • Does not interfere with running applications.
  • Can be executed while GPUs are performing other tasks.
Immediate steps to follow:
  1. Retry the verification once, as failures may be caused by transient network issues.
  2. Review system logs using journalctl -xe.
  3. Confirm that the NVIDIA driver is installed and functioning using nvidia-smi.
  4. Contact support and provide complete error messages and output.
Sensitive or confidential data should not be processed until verification succeeds.
Yes. This verification process uses:
  • The official NVIDIA Python SDK (nv-attestation-sdk).
  • The same verification logic used by NVIDIA enterprise customers.
  • Reference Integrity Manifests and certificate chains served directly by NVIDIA.
  • Industry-standard cryptographic validation mechanisms.
This is not a third-party tool. It is NVIDIA’s official, production-grade attestation solution.
The verification process validates the following components:Hardware
  • The GPU is genuine NVIDIA hardware, verified through a certificate chain to the NVIDIA Root Certificate Authority.
  • The hardware identity matches the issued certificates.
  • Certificates have not been revoked, as verified through OCSP.
Firmware
  • Driver firmware measurements (64 SHA-384 cryptographic hashes).
  • VBIOS firmware measurements (64 SHA-384 cryptographic hashes).
  • Measurements match NVIDIA’s reference “golden” RIM values.
  • All firmware and measurement signatures are cryptographically valid.
Configuration
  • Confidential Computing mode is enabled.
  • Protected PCIe (PPCIE) is correctly configured.
  • The GPU ready state is operational.
No. Verification is based on strong cryptographic guarantees, including:
  • A hardware root of trust, with cryptographic keys embedded in tamper-resistant silicon.
  • Certificate chains signed by NVIDIA’s Root Certificate Authority, protected by NVIDIA’s private keys.
  • Cryptographic signatures that cannot be forged without NVIDIA’s private keys.
  • Fresh nonces that prevent replay of previously captured attestation results.
Even if the operating system is fully compromised, an attacker cannot:
  • Forge NVIDIA’s digital signatures.
  • Create certificates that successfully validate against the NVIDIA Root CA.
  • Modify firmware measurements without detection.
  • Bypass the hardware root of trust.
GPU attestation verifies GPU authenticity and configuration, but it DOES NOT validate:
  • Hypervisor security or configuration.
  • Host operating system security.
  • Network isolation between virtual machines.
  • Physical datacenter security.
  • Guest operating system security within the VM.
For comprehensive protection:
GPU attestation should be used as part of a defense-in-depth security strategy.
The verification tooling can be independently validated through the following means:
  1. Official NVIDIA package distribution: Published on PyPI 
    pip show nv-attestation-sdk
# Displays: nv-attestation-sdk 2.6.3
  2. Open-source implementation: Publicly available for review Repository: https://github.com/NVIDIA/nvtrust
  3. Package signing: Signed and distributed by NVIDIA 
    pip show --verbose nv-attestation-sdk
  4. Checksum verification: Validate package integrity 
    pip hash nv-attestation-sdk
This is expected for nodes with NVLink-connected GPUs. CC State is only used when individual GPUs (or non-NVLink GPUs) are passed into a VM. Because NVLink-connected GPUs must be passed through as a complete set, CC State remains OFF.For these nodes, confidentiality is provided through Protected PCIe, not CC State. You can confirm this by checking:
  • Multi-GPU Mode: Protected PCIe → GPUs are running in confidential mode.
  • CPU CC Capabilities: INTEL TDX → CPU is running in confidential mode.