GPU Claims#
Version 3.0#
Applicability: Attestation SDK C++ and Attestation SDK Python
Overall Claims
ID |
Claim |
Conditions for the Claim to be Valid |
Values |
---|---|---|---|
1 |
x-nvidia-ver |
Claims version |
String |
2 |
iss |
Claims Issuer |
String |
3 |
x-nvidia-overall-att-result |
This claim indicates if the overall attestation results is successful or failed. |
true / false |
4 |
sub |
Subject of the claims |
String |
5 |
eat_nonce |
Nonce used for the Attestation process |
String |
6 |
submods |
Contains the digest of a detached Claims-Set |
Object |
Detached Claims
ID |
Claim |
Conditions for the Claim to be Valid |
Values |
---|---|---|---|
1 |
x-nvidia-gpu-driver-rim-schema-validated |
The Driver RIM has been confirmed to be in accordance with the SWID schema |
true / false |
2 |
x-nvidia-gpu-vbios-rim-cert-chain { |
This claim indicates the following: |
Nested String Claims |
3 |
x-nvidia-gpu-attestation-report-cert-chain { |
This claim indicates the following: |
Nested String Claims |
4 |
x-nvidia-gpu-attestation-report-cert-chain-fwid-match |
This claim indicates if the FWID of the certificate matches with the Attestation report. |
true / false |
5 |
x-nvidia-gpu-attestation-report-parsed |
This claim indicates if the Attestation Report has been successfully parsed. |
true / false |
6 |
x-nvidia-gpu-driver-rim-signature-verified |
This claim indicates if the Driver RIM signature is verified. |
true / false |
7 |
x-nvidia-gpu-vbios-rim-signature-verified |
This claim indicates if the VBIOS RIM signature is verified. |
true / false |
8 |
x-nvidia-gpu-arch-check |
The GPU Architecture in the Attestation report is either AMPERE or HOPPER |
true / false |
9 |
x-nvidia-attestation-warning |
The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD” |
true / false |
10 |
x-nvidia-gpu-attestation-report-signature-verified |
The signature on the Attestation report is verified. |
true / false |
11 |
x-nvidia-gpu-vbios-rim-schema-validated |
The vBIOS RIM has been confirmed to be in accordance with the swid schema |
true / false |
12 |
x-nvidia-gpu-driver-rim-cert-chain { |
This claim indicates the following: |
Nested String Claims |
13 |
x-nvidia-gpu-vbios-rim-measurements-available |
The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
14 |
x-nvidia-gpu-driver-rim-measurements-available |
The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
15 |
x-nvidia-gpu-driver-version |
A string representing the GPU Driver Version e.g. 550.90.07. |
String |
16 |
x-nvidia-gpu-vbios-version |
A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01 |
String |
17 |
measres |
The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report. |
success / fail |
18 |
x-nvidia-gpu-attestation-report-nonce-match |
The nonce in the Attestation report matches with the initial input to the GPU while generating the report. |
true / false |
19 |
x-nvidia-gpu-driver-rim-fetched |
This field indicates if the verifier can fetch Driver RIM from RIM service. |
true / false |
20 |
x-nvidia-gpu-vbios-rim-fetched |
This field indicates if the verifier can fetch vBIOS RIM from RIM service. |
true / false |
21 |
x-nvidia-gpu-vbios-index-no-conflict |
This field indicates if both the driver and vbios RIM file does not have active measurement at the same index. |
true / false |
22 |
x-nvidia-gpu-driver-rim-version-match |
This field indicates if the driver rim file version matches the version fetched from the GPU information. |
true / false |
23 |
x-nvidia-gpu-vbios-rim-version-match |
This field indicates if the vbios rim file version matches the version fetched from the GPU information. |
true / false |
24 |
eat_nonce |
Nonce used for the Attestation process |
String |
25 |
hwmodel |
GPU Hardware Model |
String |
26 |
ueid |
Universal Entity Id |
String |
27 |
oemid |
Firmware Manufacture Id |
String |
28 |
iss |
EAT Token Issuer |
String |
29 |
secboot |
Indicates is Secure Boot is enabled or disabled |
true / false |
30 |
dbgstat |
Indicates is GPU Debug facilities are enabled or disabled |
enabled / disabled |
Version 2.0#
Applicability: Attestation SDK Python only
Overall Claims
ID |
Claim |
Conditions for the Claim to be Valid |
Values |
---|---|---|---|
1 |
x-nvidia-ver |
Claims version |
String |
2 |
iss |
Claims Issuer |
String |
3 |
x-nvidia-overall-att-result |
This claim indicates if the overall attestation results is successful or failed. |
true / false |
4 |
sub |
Subject of the claims |
String |
5 |
eat_nonce |
Nonce used for the Attestation process |
String |
6 |
submods |
Contains the digest of a detached Claims-Set |
Object |
Detached Claims
ID |
Claim |
Conditions for the Claim to be Valid |
Values |
---|---|---|---|
1 |
x-nvidia-gpu-driver-rim-schema-validated |
The Driver RIM has been confirmed to be in accordance with the SWID schema |
true / false |
2 |
x-nvidia-gpu-vbios-rim-cert-validated |
This claim indicates if the following checks completed successfully for vBIOS RIM: |
true / false |
3 |
x-nvidia-gpu-attestation-report-cert-chain-validated |
This claim indicates if the following checks completed successfully for Attestation report certificate chain: |
true / false |
4 |
x-nvidia-gpu-attestation-report-parsed |
This claim indicates if the Attestation Report has been successfully parsed. |
true / false |
5 |
x-nvidia-gpu-driver-rim-signature-verified |
For the claim to be valid, the following conditions must be met: |
true / false |
6 |
x-nvidia-gpu-vbios-rim-signature-verified |
For the claim to be valid, the following conditions must be met: |
true / false |
7 |
x-nvidia-gpu-arch-check |
The GPU Architecture in the Attestation report is either AMPERE or HOPPER |
true / false |
8 |
x-nvidia-attestation-warning |
The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD” |
true / false |
9 |
x-nvidia-gpu-attestation-report-signature-verified |
The signature on the Attestation report is verified. |
true / false |
10 |
x-nvidia-gpu-vbios-rim-schema-validated |
The vBIOS RIM has been confirmed to be in accordance with the swid schema |
true / false |
11 |
x-nvidia-gpu-driver-rim-cert-validated |
This claim indicates if the following checks completed successfully for Driver RIM: |
true / false |
12 |
x-nvidia-gpu-vbios-rim-measurements-available |
The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
13 |
x-nvidia-gpu-driver-rim-measurements-available |
The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
14 |
x-nvidia-gpu-driver-version |
A string representing the GPU Driver Version e.g. 550.90.07. |
String |
15 |
x-nvidia-gpu-vbios-version |
A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01 |
String |
16 |
measres |
The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report. |
success / fail |
17 |
x-nvidia-gpu-attestation-report-nonce-match |
The nonce in the Attestation report matches with the initial input to the GPU while generating the report. |
true / false |
18 |
x-nvidia-gpu-driver-rim-fetched |
This field indicates if the verifier can fetch Driver RIM from RIM service. |
true / false |
19 |
x-nvidia-gpu-vbios-rim-fetched |
This field indicates if the verifier can fetch vBIOS RIM from RIM service. |
true / false |
20 |
x-nvidia-gpu-vbios-index-no-conflict |
This field indicates if both the driver and vbios RIM file does not have active measurement at the same index. |
true / false |
21 |
eat_nonce |
Nonce used for the Attestation process |
String |
22 |
hwmodel |
GPU Hardware Model |
String |
23 |
ueid |
Universal Entity Id |
String |
24 |
oemid |
Firmware Manufacture Id |
String |
25 |
iss |
EAT Token Issuer |
String |
26 |
secboot |
Indicates is Secure Boot is enabled or disabled |
true / false |
27 |
dbgstat |
Indicates is GPU Debug facilities are enabled or disabled |
enabled / disabled |
Version 1.0#
Applicability: Attestation SDK Python only
Local Verifier#
# |
Claim Name |
Description |
Status |
---|---|---|---|
1 |
x-nv-gpu-cert-ocsp-nonce-match |
The nonce in the OCSP response message matches the one passed in the OCSP request message. |
true / false |
2 |
x-nv-gpu-ocsp-cert-chain-verified |
The OCSP response certificate chain verification succeeded for both RIM and Device certificates. |
true / false |
3 |
x-nv-gpu-ocsp-signature-verified |
The OCSP response signature verification succeeded for both RIM and Device certificates. |
true / false |
4 |
x-nv-gpu-cert-chain-verified |
The GPU Device certificate chain has been verified, and the FWID of the certificate matches the Attestation report. |
true / false |
5 |
x-nv-gpu-cert-check-complete |
This claim indicates that the following checks have been completed successfully for the Attestation report certificate chain: the certificate chain is valid, belongs to NVIDIA PKI, is not expired, and is not revoked. |
true / false |
6 |
x-nv-gpu-measurement-available |
This claim indicates that valid GPU measurements are available in the SPDM response message for Attestation. |
true / false |
7 |
x-nv-gpu-root-cert-available |
This claim indicates that the GPU root certificate is available for Attestation. |
true / false |
8 |
x-nv-gpu-info-fetched |
This claim indicates that at least one GPU information item has been fetched and is valid. |
true / false |
9 |
x-nv-gpu-available |
This claim indicates that at least one GPU is available for attestation. |
true / false |
10 |
x-nv-gpu-attestation-report-available |
This claim indicates that the GPU Attestation report has been fetched successfully. |
true / false |
11 |
x-nv-gpu-attestation-report-driver-version-match |
The driver version in the Attestation report matches the driver version fetched from the system. |
true / false |
12 |
x-nv-gpu-attestation-report-vbios-version-match |
The VBIOS version in the Attestation report matches the VBIOS version fetched from the system. |
true / false |
13 |
x-nv-gpu-attestation-report-verified |
This claim indicates that the Attestation report has been verified. Verification involves matching the nonce in the Attestation report with the one generated by the CC admin, matching the driver and VBIOS versions with the system, and performing signature verification of the report. |
true / false |
14 |
x-nv-gpu-driver-rim-schema-fetched |
This claim indicates whether the Driver RIM file has been fetched from the RIM Service. |
true / false |
15 |
x-nv-gpu-driver-rim-cert-extracted |
This claim indicates whether the verifier has extracted the driver RIM certificate from the RIM file. |
true / false |
16 |
x-nv-gpu-vbios-rim-cert-extracted |
This claim indicates whether the verifier has extracted the VBIOS RIM certificate from the RIM file. |
true / false |
17 |
x-nv-gpu-vbios-rim-driver-measurements-available |
The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted. |
true / false |
18 |
x-nv-gpu-driver-rim-driver-measurements-available |
The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted. |
true / false |
19 |
x-nvidia-gpu-arch-check |
The GPU Architecture in the Attestation report is either AMPERE or HOPPER. |
true / false |
20 |
x-nvidia-gpu-driver-rim-signature-verified |
For the claim to be valid, the following conditions must be met: the driver RIM schema must be as expected, the driver RIM certificate chain must be verified, OCSP validation must pass for each certificate in the RIM certificate chain, and the driver RIM signature must be verified, with the driver version matching the one fetched from GPU info. |
true / false |
21 |
x-nvidia-gpu-vbios-rim-signature-verified |
For the claim to be valid, the following conditions must be met: the VBIOS RIM schema must be as expected, the VBIOS RIM certificate chain must be verified, OCSP validation must pass for each certificate in the RIM certificate chain, and the VBIOS RIM signature must be verified, with the VBIOS version matching the one fetched from GPU info. |
true / false |
22 |
x-nv-gpu-measurements-match |
The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report. |
success / fail |
23 |
x-nvidia-gpu-attestation-report-parsed |
This claim indicates whether the Attestation report has been successfully parsed. |
true / false |
24 |
x-nv-gpu-nonce-match |
The nonce in the Attestation report matches the initial input to the GPU when generating the report. |
true / false |
25 |
x-nvidia-gpu-driver-rim-schema-validated |
The Driver RIM has been confirmed to be in accordance with the SWID schema. |
true / false |
26 |
x-nvidia-gpu-vbios-rim-fetched |
This field indicates whether the verifier can fetch the VBIOS RIM from the RIM service. |
true / false |
27 |
x-nvidia-gpu-vbios-rim-schema-validated |
The VBIOS RIM has been confirmed to be in accordance with the SWID schema. |
true / false |
28 |
x-nvidia-gpu-vbios-index-no-conflict |
This field indicates whether both the driver and VBIOS RIM files do not have active measurements at the same index. |
true / false |
29 |
x-nv-gpu-uuid |
UUID of the GPU. |
String |
Remote Verifier#
API: /v1/gpu
ID |
Claim |
Conditions for the Claim to be Valid |
Values |
---|---|---|---|
1 |
x-nvidia-gpu-driver-rim-schema-validated |
The Driver RIM has been confirmed to be in accordance with the swid schema |
true / false |
2 |
x-nvidia-gpu-vbios-rim-cert-validated |
This claim indicates if the following checks completed successfully for vBIOS RIM: |
true / false |
3 |
x-nvidia-gpu-attestation-report-cert-chain-validated |
This claim indicates if the following checks completed successfully for Attestation report certificate chain: |
true / false |
4 |
x-nvidia-gpu-driver-rim-schema-fetched |
This claim indicates if the verifier can fetch driver RIM from RIM service. |
true / false |
5 |
x-nvidia-gpu-attestation-report-parsed |
This claim indicates if the Attestation Report has been successfully parsed. |
true / false |
6 |
x-nvidia-gpu-nonce-match |
The nonce in the Attestation report matches with the initial input to the GPU while generating the report. |
true / false |
7 |
x-nvidia-gpu-driver-rim-signature-verified |
For the claim to be valid, the following conditions must be met: |
true / false |
8 |
x-nvidia-gpu-vbios-rim-signature-verified |
For the claim to be valid, the following conditions must be met: |
true / false |
9 |
x-nvidia-gpu-arch-check |
The GPU Architecture in the Attestation report is either AMPERE or HOPPER |
true / false |
10 |
x-nvidia-attestation-warning |
The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD” |
true / false |
11 |
x-nvidia-gpu-measurements-match |
The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report. |
true / false |
12 |
x-nvidia-gpu-attestation-report-signature-verified |
The signature on the Attestation report is verified. |
true / false |
13 |
x-nvidia-gpu-vbios-rim-schema-validated |
The vBIOS RIM has been confirmed to be in accordance with the swid schema |
true / false |
14 |
x-nvidia-gpu-driver-rim-cert-validated |
This claim indicates if the following checks completed successfully for Driver RIM: |
true / false |
15 |
x-nvidia-gpu-vbios-rim-schema-fetched |
This field indicates if the verifier can fetch vBIOS RIM from RIM service. |
true / false |
16 |
x-nvidia-gpu-vbios-rim-measurements-available |
The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
17 |
x-nvidia-gpu-driver-rim-driver-measurements-available |
The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood. |
true / false |
18 |
x-nvidia-ver |
Claims version |
String |
19 |
iss |
Claims Issuer |
String |
20 |
sub |
Subject of the claims |
String |
21 |
secboot |
Indicates is Secure Boot is enabled or disabled |
true / false |
22 |
x-nvidia-gpu-manufacturer |
A String representing the GPU Manufacturer e.g. NVIDIA Corporation. |
String |
23 |
x-nvidia-attestation-type |
A string representing the type of Attestation e.g. GPU. |
String |
24 |
eat_nonce |
Nonce used for the Attestation process |
String |
25 |
x-nvidia-gpu-driver-version |
A string representing the GPU Driver Version e.g. 550.90.07. |
String |
26 |
x-nvidia-gpu-vbios-version |
A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01 |
String |
27 |
dbgstat |
Indicates is GPU Debug facilities are enabled or disabled |
enabled / disabled |
28 |
hwmodel |
GPU Hardware Model |
String |
29 |
oemid |
Firmware Manufacture Id |
String |
30 |
ueid |
Universal Entity Id |
String |
31 |
measres |
The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report. |
comparison-successful / comparison-fail |
32 |
x-nvidia-eat-ver |
EAT version for NVIDIA GPU Claims |
string |
34 |
x-nvidia-gpu-uuid |
UUID of the GPU. |
String |
35 |
x-nvidia-mismatch-measurement-records |
Mismatched measurement indices along with measurement value for runtime and golden measurements |
Object |
36 |
x-nvidia-mismatch-indexes |
List of indexes which have measurement mismatches |
Object |
Reporting an issue to Nvidia#
If the remediations above do not help users fix the problems, they can report their issues at NVIDIA/nvtrust#issues.