> ## Documentation Index
> Fetch the complete documentation index at: https://io.net/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Confidential Compute Attestation
> Learn what confidential compute attestation is and how it can be utilized to verify secure workloads on io.net Cloud. Explore Trusted Execution Environments (TEE), GPU verification, and hardware-based security for sensitive compute.
## Overview
[io.net](http://io.net) provisioned *Confidential Compute VMs* are equipped with NVIDIA H200 GPUs featuring hardware-based confidential computing capabilities. This guide shows you how to verify that your GPUs are genuine NVIDIA hardware with confidential computing features properly enabled.
### Key Takeaways
* Understand why GPU verification is essential for confidential computing.
* Learn how to confirm GPU authenticity using cryptographic attestation.
* Follow clear, step-by-step instructions to run verification on your VM.
### Prerequisites
* SSH access to your Confidential Compute VM
* Python 3.7 or later (pre-installed on your VM)
* Basic command line understanding
* 5 minutes to perform the initial set up
## Why does GPU verification matter?
### Trust, but Verify
When running sensitive workloads on **Confidential Computing (CC)** infrastructure, it is not enough to rely on a provider’s assurances. You need **cryptographic proof** that the hardware is authentic, correctly configured, and operating in a secure state.
GPU attestation provides independent verification that:
* **The GPUs are genuine NVIDIA hardware** - not counterfeit, emulated, or misrepresented.
* **Firmware is intact and unmodified** - ensuring no tampering with GPU software or drivers.
* **Confidential computing features are enabled** - confirming that CC mode is active and functioning properly.
* **Hardware measurements match expected “golden” values** - validating that the GPU’s state aligns with NVIDIA’s reference integrity manifests.
### Security and Compliance
GPU attestation is a foundational security mechanism for confidential computing environments. It helps ensure:
* **Zero-trust architecture** - trust no component by default, verify every claim cryptographically.
* **Regulatory and compliance adherence** - meet requirements that mandate hardware verification.
* **Data protection** - guarantee that sensitive workloads run only on validated, trustworthy hardware.
* **Clear auditability** - produce cryptographic evidence for stakeholders, security teams, and auditors.
### How It Works
Attestation relies on **cryptographic proofs** that cannot be falsified, forged or altered. The verification process follows a clear chain of checks:
```
Your VM → Collect GPU Evidence → Verify Certificates
→ Check Measurements
→ Validate Signatures
→ Result: Verified or Check Failed
```
**What gets verified:**
During attestation, the following elements are validated:
* **A four-level GPU certificate chain**, traced back to the NVIDIA Root Certificate Authority.
* **Certificate revocation status**, checked via OCSP to ensure no certificates have been revoked.
* **Driver firmware measurements**, consisting of 64 SHA-384 cryptographic hashes.
* **VBIOS firmware measurements**, consisting of 64 SHA-384 cryptographic hashes.
* **Digital signatures on all attestation evidence**, ensuring integrity and authenticity.
## What is GPU Attestation?
### Cryptographic Proof of Authenticity
GPU attestation is a cryptographic verification process rooted in **hardware-based trust**. It provides verifiable proof that a GPU is authentic, securely configured, and operating in a trusted state. Specifically, it validates four core properties:
Every NVIDIA GPU that supports Confidential Computing includes:
* A **unique hardware identity** permanently embedded in silicon during manufacturing.
* A **certificate chain** signed by NVIDIA’s Root Certificate Authority.
* **Cryptographic keys** stored in tamper-resistant hardware.
**What this proves:**\
The GPU is genuine NVIDIA hardware, produced by NVIDIA, and not counterfeit or emulated.
During attestation, the system:
* Measures all GPU firmware using **SHA-384 cryptographic hashes.**
* Compares measurements against NVIDIA’s **Reference Integrity Manifests (RIMs)**.
* Verifies the **digital signatures** on the RIM files.
**What this proves:**\
The GPU firmware has not been modified, tampered with, or compromised.
The verification process confirms that:
* **Confidential Computing (CC)** is enabled.
* **Protected PCIe (PPCIE)** is correctly configured.
* The GPU is operating in the **expected secure state**.
In this context, **CC** refers to the general concept of **Confidential Compute**, where the GPU operates in a secure, protected environment. This is different from **CC mode** (also referred to as `CC State`), which is a specific configuration within the GPU.
`CC State` cannot be enabled at the same time as **PPCIe**, the two modes are mutually exclusive.
`CC State` specifically refers to scenarios where a single GPU (or multiple GPUs that are **NOT** NVLink-connected) is passed through directly to a virtual machine.
**What this proves:**\
Confidential Computing features are actively enabled and functioning, not merely claimed.
**How CC and Protected PCIe (PPCIe) Work Together**
GPU confidentiality is controlled through **two independent mechanisms**:
* **CC (Confidential Compute / CC State)**
* **PPCIe (Protected PCIe)**
These settings determine *how* and *which* GPUs operate in confidential mode. Each GPU can have CC and PPCIe enabled or disabled independently, but only certain combinations are valid.
* **CC = OFF, PPCIe = OFF**\
No confidential computing is enabled.
* **CC = ON, PPCIe = OFF**\
Only a subset of GPUs is confidential. This mode is **NOT compatible with NVLink-connected GPUs**.
* **CC = OFF, PPCIe = ON**\
The **entire GPU set in the server, including NVLink connected GPUs**, operate in confidential mode.
*This is the configuration used in our recommended setup.*
* **CC = ON, PPCIe = ON**\
This is an invalid configuration. The virtual machine will either fail to boot or the CUDA drivers will not load.
Attestation uses a **nonce** (a cryptographic challenge) to:
* Prevent replay attacks.
* Ensure the evidence is current, not reused or pre-recorded.
* Confirm that measurements reflect the GPU’s **current state**.
**What this proves:**\
The attestation is happening in real time on this specific GPU.
### Official NVIDIA Technology
**GPU attestation is performed using NVIDIA’s official tooling:**
* **Package:** `nv-attestation-sdk` (official NVIDIA Python SDK)
* **Source:** PyPI (Python Package Index)
* **Version:** 2.6.3 (as of December 2025)
* **License:** Apache 2.0
* **Repository:** [https://github.com/NVIDIA/nvtrust](https://github.com/NVIDIA/nvtrust)
This is **not a third-party tool**. It is NVIDIA’s production-ready attestation framework, used by enterprise customers worldwide.
### Standards-Based Approach
NVIDIA GPU attestation is built on widely adopted industry standards:
* **SPDM (Security Protocol and Data Model):** Version 1.1 for device authentication.
* **X.509 PKI:** Standard public key infrastructure for certificates.
* **OCSP:** Online Certificate Status Protocol for revocation checks.
* **TCG standards:** Trusted Computing Group measurement and attestation specifications.
## Quick Reference
**One-time setup (approximately 2–3 minutes):**
```bash theme={null}
mkdir -p ~/gpu-verification && cd ~/gpu-verification
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install nv-attestation-sdk
# Create the verify_gpu.py script (refer to Step 5 of the GPU Attestation and Verification Guide)
```
**Run verification (approximately 30 seconds):**
```bash theme={null}
cd ~/gpu-verification
source venv/bin/activate
python3 verify_gpu.py
```
**Successful verification output:**
```
✅ VERIFICATION SUCCESSFUL
This system has X genuine NVIDIA GPU(s)
with Confidential Computing features enabled and operational.
```
For a more comprehensive guide for verifying your Confidential Compute VM, refer to the [GPU Attestation and Verification Guide](/guides/clouds/confidential-compute-attestation-guide).
### Key Points
* **Official NVIDIA tooling** - uses the NVIDIA-provided `nv-attestation-sdk`.
* **Cryptographic assurance** - verification cannot be forged or bypassed.
* **Comprehensive validation** - certificates, firmware measurements, and signatures are all verified.
* **Fast execution** - completes in approximately 30 seconds after initial setup.
* **Self-contained operation** - runs entirely within the virtual machine without external accounts.
### Next Steps
1. Complete the one-time setup.
2. Run GPU verification on the virtual machine.
3. Integrate verification into the security or deployment workflow.
4. Perform verification before processing sensitive workloads.
5. Contact support if verification fails.
## FAQs
**Recommended frequency:**
* **Daily:** Before processing sensitive or regulated workloads.
* **After system changes:** Following any reboot, update, or migration.
* **Initial provisioning:** When the virtual machine is first received.
* **Compliance requirements:** As dictated by organizational security policies.
**Why regular verification is important:**
* Detects firmware tampering or unauthorized modification.
* Confirms that *Confidential Computing* features remain enabled after updates.
* Provides a verifiable audit trail for compliance and governance.
**Yes.** Verification can be integrated into startup or pre-workload scripts.
```bash theme={null}
#!/bin/bash
# Example: Run verification before starting an application
cd ~/gpu-verification
source venv/bin/activate
python3 verify_gpu.py
if [ $? -eq 0 ]; then
echo "✅ Verification passed. Starting workload."
# Insert application startup commands here
else
echo "❌ Verification failed. Aborting startup."
exit 1
fi
```
**No.** Verification:
* Runs independently of GPU compute workloads.
* Typically completes within 30–60 seconds.
* Does not interfere with running applications.
* Can be executed while GPUs are performing other tasks.
**Immediate steps to follow:**
1. Retry the verification once, as failures may be caused by transient network issues.
2. Review system logs using `journalctl -xe`.
3. Confirm that the NVIDIA driver is installed and functioning using `nvidia-smi`.
4. Contact support and provide complete error messages and output.
Sensitive or confidential data should not be processed until verification succeeds.
**Yes.** This verification process uses:
* The official NVIDIA Python SDK (`nv-attestation-sdk`).
* The same verification logic used by NVIDIA enterprise customers.
* Reference Integrity Manifests and certificate chains served directly by NVIDIA.
* Industry-standard cryptographic validation mechanisms.
This is not a third-party tool. It is NVIDIA’s official, production-grade attestation solution.
The verification process validates the following components:
**Hardware**
* The GPU is genuine NVIDIA hardware, verified through a certificate chain to the NVIDIA Root Certificate Authority.
* The hardware identity matches the issued certificates.
* Certificates have not been revoked, as verified through OCSP.
**Firmware**
* Driver firmware measurements (64 SHA-384 cryptographic hashes).
* VBIOS firmware measurements (64 SHA-384 cryptographic hashes).
* Measurements match NVIDIA’s reference “golden” RIM values.
* All firmware and measurement signatures are cryptographically valid.
**Configuration**
* Confidential Computing mode is enabled.
* Protected PCIe (PPCIE) is correctly configured.
* The GPU ready state is operational.
**No.** Verification is based on strong cryptographic guarantees, including:
* A **hardware root of trust**, with cryptographic keys embedded in tamper-resistant silicon.
* **Certificate chains** signed by NVIDIA’s Root Certificate Authority, protected by NVIDIA’s private keys.
* **Cryptographic signatures** that cannot be forged without NVIDIA’s private keys.
* **Fresh nonces** that prevent replay of previously captured attestation results.
Even if the operating system is fully compromised, an attacker cannot:
* Forge NVIDIA’s digital signatures.
* Create certificates that successfully validate against the NVIDIA Root CA.
* Modify firmware measurements without detection.
* Bypass the hardware root of trust.
GPU attestation verifies GPU authenticity and configuration, but it DOES NOT validate:
* Hypervisor security or configuration.
* Host operating system security.
* Network isolation between virtual machines.
* Physical datacenter security.
* Guest operating system security within the VM.
**For comprehensive protection:**\
GPU attestation should be used as part of a defense-in-depth security strategy.
The verification tooling can be independently validated through the following means:
1. **Official NVIDIA package distribution:** Published on PyPI
```bash theme={null}
pip show nv-attestation-sdk
# Displays: nv-attestation-sdk 2.6.3
```
2. **Open-source implementation:** Publicly available for review
Repository: [https://github.com/NVIDIA/nvtrust](https://github.com/NVIDIA/nvtrust)
3. **Package signing:** Signed and distributed by NVIDIA
```bash theme={null}
pip show --verbose nv-attestation-sdk
```
4. **Checksum verification:** Validate package integrity
```bash theme={null}
pip hash nv-attestation-sdk
```
This is expected for nodes with **NVLink-connected GPUs**. CC State is only used when individual GPUs (or non-NVLink GPUs) are passed into a VM. Because NVLink-connected GPUs must be passed through **as a complete set**, CC State remains `OFF`.
For these nodes, confidentiality is provided through **Protected PCIe**, not `CC State`. You can confirm this by checking:
* `Multi-GPU Mode: Protected PCIe` → GPUs are running in confidential mode.
* `CPU CC Capabilities: INTEL TDX` → CPU is running in confidential mode.