GPU Claims#

Version 3.0#

Applicability: Attestation SDK C++ and Attestation SDK Python

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation results is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-gpu-driver-rim-schema-validated

The Driver RIM has been confirmed to be in accordance with the SWID schema

true / false

2

x-nvidia-gpu-vbios-rim-cert-chain {

“x-nvidia-cert-expiration-date”: “DateinISO”,

“x-nvidia-cert-status”: “CertStatus”,

“x-nvidia-cert-ocsp-status”: “OCSPStatus”,

“x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Vbios rim certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has revoked

3. Vbios rim cert OCSP status - good, revoked, unknown

4. Revocation Reason: If the vbios rim certificate is revoked, this field contains the revocation reason

Nested String Claims

3

x-nvidia-gpu-attestation-report-cert-chain {

“x-nvidia-cert-expiration-date”: “DateinISO”,

“x-nvidia-cert-status”: “CertStatus”,

“x-nvidia-cert-ocsp-status”: “OCSPStatus”,

“x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Attestation report certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has revoked

3. Attestation report cert OCSP status - good, revoked, unknown

4. Revocation Reason: If the attestation report certificate is revoked, this field contains the revocation reason

Nested String Claims

4

x-nvidia-gpu-attestation-report-cert-chain-fwid-match

This claim indicates if the FWID of the certificate matches with the Attestation report.

true / false

5

x-nvidia-gpu-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

6

x-nvidia-gpu-driver-rim-signature-verified

This claim indicates if the Driver RIM signature is verified.

true / false

7

x-nvidia-gpu-vbios-rim-signature-verified

This claim indicates if the VBIOS RIM signature is verified.

true / false

8

x-nvidia-gpu-arch-check

The GPU Architecture in the Attestation report is either AMPERE or HOPPER

true / false

9

x-nvidia-attestation-warning

The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD”

true / false

10

x-nvidia-gpu-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

11

x-nvidia-gpu-vbios-rim-schema-validated

The vBIOS RIM has been confirmed to be in accordance with the swid schema

true / false

12

x-nvidia-gpu-driver-rim-cert-chain {

“x-nvidia-cert-expiration-date”: “DateinISO”,

“x-nvidia-cert-status”: “CertStatus”,

“x-nvidia-cert-ocsp-status”: “OCSPStatus”,

“x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Driver rim certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has revoked

3. Driver rim cert OCSP status - good, revoked, unknown

4. Revocation Reason: If the driver rim certificate is revoked, this field contains the revocation reason

Nested String Claims

13

x-nvidia-gpu-vbios-rim-measurements-available

The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

14

x-nvidia-gpu-driver-rim-measurements-available

The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

15

x-nvidia-gpu-driver-version

A string representing the GPU Driver Version e.g. 550.90.07.

String

16

x-nvidia-gpu-vbios-version

A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01

String

17

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

18

x-nvidia-gpu-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the GPU while generating the report.

true / false

19

x-nvidia-gpu-driver-rim-fetched

This field indicates if the verifier can fetch Driver RIM from RIM service.

true / false

20

x-nvidia-gpu-vbios-rim-fetched

This field indicates if the verifier can fetch vBIOS RIM from RIM service.

true / false

21

x-nvidia-gpu-vbios-index-no-conflict

This field indicates if both the driver and vbios RIM file does not have active measurement at the same index.

true / false

22

x-nvidia-gpu-driver-rim-version-match

This field indicates if the driver rim file version matches the version fetched from the GPU information.

true / false

23

x-nvidia-gpu-vbios-rim-version-match

This field indicates if the vbios rim file version matches the version fetched from the GPU information.

true / false

24

eat_nonce

Nonce used for the Attestation process

String

25

hwmodel

GPU Hardware Model

String

26

ueid

Universal Entity Id

String

27

oemid

Firmware Manufacture Id

String

28

iss

EAT Token Issuer

String

29

secboot

Indicates is Secure Boot is enabled or disabled

true / false

30

dbgstat

Indicates is GPU Debug facilities are enabled or disabled

enabled / disabled

Version 2.0#

Applicability: Attestation SDK Python only

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation results is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-gpu-driver-rim-schema-validated

The Driver RIM has been confirmed to be in accordance with the SWID schema

true / false

2

x-nvidia-gpu-vbios-rim-cert-validated

This claim indicates if the following checks completed successfully for vBIOS RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

3

x-nvidia-gpu-attestation-report-cert-chain-validated

This claim indicates if the following checks completed successfully for Attestation report certificate chain:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked
5. FWID of the certificate matches with the Attestation report

true / false

4

x-nvidia-gpu-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

5

x-nvidia-gpu-driver-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The driver RIM schema must be as expected.
2. The driver RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The driver RIM signature must be verified, and the driver version must match the version fetched from the GPU information.

true / false

6

x-nvidia-gpu-vbios-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The VBIOS RIM schema must be as expected.
2. The VBIOS RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The VBIOS RIM signature must be verified, and the VBIOS version must match the version fetched from the GPU information.

true / false

7

x-nvidia-gpu-arch-check

The GPU Architecture in the Attestation report is either AMPERE or HOPPER

true / false

8

x-nvidia-attestation-warning

The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD”

true / false

9

x-nvidia-gpu-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

10

x-nvidia-gpu-vbios-rim-schema-validated

The vBIOS RIM has been confirmed to be in accordance with the swid schema

true / false

11

x-nvidia-gpu-driver-rim-cert-validated

This claim indicates if the following checks completed successfully for Driver RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

12

x-nvidia-gpu-vbios-rim-measurements-available

The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

13

x-nvidia-gpu-driver-rim-measurements-available

The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

14

x-nvidia-gpu-driver-version

A string representing the GPU Driver Version e.g. 550.90.07.

String

15

x-nvidia-gpu-vbios-version

A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01

String

16

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

17

x-nvidia-gpu-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the GPU while generating the report.

true / false

18

x-nvidia-gpu-driver-rim-fetched

This field indicates if the verifier can fetch Driver RIM from RIM service.

true / false

19

x-nvidia-gpu-vbios-rim-fetched

This field indicates if the verifier can fetch vBIOS RIM from RIM service.

true / false

20

x-nvidia-gpu-vbios-index-no-conflict

This field indicates if both the driver and vbios RIM file does not have active measurement at the same index.

true / false

21

eat_nonce

Nonce used for the Attestation process

String

22

hwmodel

GPU Hardware Model

String

23

ueid

Universal Entity Id

String

24

oemid

Firmware Manufacture Id

String

25

iss

EAT Token Issuer

String

26

secboot

Indicates is Secure Boot is enabled or disabled

true / false

27

dbgstat

Indicates is GPU Debug facilities are enabled or disabled

enabled / disabled

Version 1.0#

Applicability: Attestation SDK Python only

Local Verifier#

#

Claim Name

Description

Status

1

x-nv-gpu-cert-ocsp-nonce-match

The nonce in the OCSP response message matches the one passed in the OCSP request message.

true / false

2

x-nv-gpu-ocsp-cert-chain-verified

The OCSP response certificate chain verification succeeded for both RIM and Device certificates.

true / false

3

x-nv-gpu-ocsp-signature-verified

The OCSP response signature verification succeeded for both RIM and Device certificates.

true / false

4

x-nv-gpu-cert-chain-verified

The GPU Device certificate chain has been verified, and the FWID of the certificate matches the Attestation report.

true / false

5

x-nv-gpu-cert-check-complete

This claim indicates that the following checks have been completed successfully for the Attestation report certificate chain: the certificate chain is valid, belongs to NVIDIA PKI, is not expired, and is not revoked.

true / false

6

x-nv-gpu-measurement-available

This claim indicates that valid GPU measurements are available in the SPDM response message for Attestation.

true / false

7

x-nv-gpu-root-cert-available

This claim indicates that the GPU root certificate is available for Attestation.

true / false

8

x-nv-gpu-info-fetched

This claim indicates that at least one GPU information item has been fetched and is valid.

true / false

9

x-nv-gpu-available

This claim indicates that at least one GPU is available for attestation.

true / false

10

x-nv-gpu-attestation-report-available

This claim indicates that the GPU Attestation report has been fetched successfully.

true / false

11

x-nv-gpu-attestation-report-driver-version-match

The driver version in the Attestation report matches the driver version fetched from the system.

true / false

12

x-nv-gpu-attestation-report-vbios-version-match

The VBIOS version in the Attestation report matches the VBIOS version fetched from the system.

true / false

13

x-nv-gpu-attestation-report-verified

This claim indicates that the Attestation report has been verified. Verification involves matching the nonce in the Attestation report with the one generated by the CC admin, matching the driver and VBIOS versions with the system, and performing signature verification of the report.

true / false

14

x-nv-gpu-driver-rim-schema-fetched

This claim indicates whether the Driver RIM file has been fetched from the RIM Service.

true / false

15

x-nv-gpu-driver-rim-cert-extracted

This claim indicates whether the verifier has extracted the driver RIM certificate from the RIM file.

true / false

16

x-nv-gpu-vbios-rim-cert-extracted

This claim indicates whether the verifier has extracted the VBIOS RIM certificate from the RIM file.

true / false

17

x-nv-gpu-vbios-rim-driver-measurements-available

The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted.

true / false

18

x-nv-gpu-driver-rim-driver-measurements-available

The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted.

true / false

19

x-nvidia-gpu-arch-check

The GPU Architecture in the Attestation report is either AMPERE or HOPPER.

true / false

20

x-nvidia-gpu-driver-rim-signature-verified

For the claim to be valid, the following conditions must be met: the driver RIM schema must be as expected, the driver RIM certificate chain must be verified, OCSP validation must pass for each certificate in the RIM certificate chain, and the driver RIM signature must be verified, with the driver version matching the one fetched from GPU info.

true / false

21

x-nvidia-gpu-vbios-rim-signature-verified

For the claim to be valid, the following conditions must be met: the VBIOS RIM schema must be as expected, the VBIOS RIM certificate chain must be verified, OCSP validation must pass for each certificate in the RIM certificate chain, and the VBIOS RIM signature must be verified, with the VBIOS version matching the one fetched from GPU info.

true / false

22

x-nv-gpu-measurements-match

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

23

x-nvidia-gpu-attestation-report-parsed

This claim indicates whether the Attestation report has been successfully parsed.

true / false

24

x-nv-gpu-nonce-match

The nonce in the Attestation report matches the initial input to the GPU when generating the report.

true / false

25

x-nvidia-gpu-driver-rim-schema-validated

The Driver RIM has been confirmed to be in accordance with the SWID schema.

true / false

26

x-nvidia-gpu-vbios-rim-fetched

This field indicates whether the verifier can fetch the VBIOS RIM from the RIM service.

true / false

27

x-nvidia-gpu-vbios-rim-schema-validated

The VBIOS RIM has been confirmed to be in accordance with the SWID schema.

true / false

28

x-nvidia-gpu-vbios-index-no-conflict

This field indicates whether both the driver and VBIOS RIM files do not have active measurements at the same index.

true / false

29

x-nv-gpu-uuid

UUID of the GPU.

String

Remote Verifier#

API: /v1/gpu

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-gpu-driver-rim-schema-validated

The Driver RIM has been confirmed to be in accordance with the swid schema

true / false

2

x-nvidia-gpu-vbios-rim-cert-validated

This claim indicates if the following checks completed successfully for vBIOS RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

3

x-nvidia-gpu-attestation-report-cert-chain-validated

This claim indicates if the following checks completed successfully for Attestation report certificate chain:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked
5. FWID of the certificate matches with the Attestation report

true / false

4

x-nvidia-gpu-driver-rim-schema-fetched

This claim indicates if the verifier can fetch driver RIM from RIM service.

true / false

5

x-nvidia-gpu-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

6

x-nvidia-gpu-nonce-match

The nonce in the Attestation report matches with the initial input to the GPU while generating the report.

true / false

7

x-nvidia-gpu-driver-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The driver RIM schema must be as expected.
2. The driver RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The driver RIM signature must be verified, and the driver version must match the version fetched from the GPU information.

true / false

8

x-nvidia-gpu-vbios-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The VBIOS RIM schema must be as expected.
2. The VBIOS RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The VBIOS RIM signature must be verified, and the VBIOS version must match the version fetched from the GPU information.

true / false

9

x-nvidia-gpu-arch-check

The GPU Architecture in the Attestation report is either AMPERE or HOPPER

true / false

10

x-nvidia-attestation-warning

The Attestation warning message is populated when the certificate is revoked with reason “CERT_HOLD”

true / false

11

x-nvidia-gpu-measurements-match

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

true / false

12

x-nvidia-gpu-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

13

x-nvidia-gpu-vbios-rim-schema-validated

The vBIOS RIM has been confirmed to be in accordance with the swid schema

true / false

14

x-nvidia-gpu-driver-rim-cert-validated

This claim indicates if the following checks completed successfully for Driver RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

15

x-nvidia-gpu-vbios-rim-schema-fetched

This field indicates if the verifier can fetch vBIOS RIM from RIM service.

true / false

16

x-nvidia-gpu-vbios-rim-measurements-available

The VBIOS Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

17

x-nvidia-gpu-driver-rim-driver-measurements-available

The driver Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

18

x-nvidia-ver

Claims version

String

19

iss

Claims Issuer

String

20

sub

Subject of the claims

String

21

secboot

Indicates is Secure Boot is enabled or disabled

true / false

22

x-nvidia-gpu-manufacturer

A String representing the GPU Manufacturer e.g. NVIDIA Corporation.

String

23

x-nvidia-attestation-type

A string representing the type of Attestation e.g. GPU.

String

24

eat_nonce

Nonce used for the Attestation process

String

25

x-nvidia-gpu-driver-version

A string representing the GPU Driver Version e.g. 550.90.07.

String

26

x-nvidia-gpu-vbios-version

A string representing the GPU vBIOS Version e.g. 96.00.9F.00.01

String

27

dbgstat

Indicates is GPU Debug facilities are enabled or disabled

enabled / disabled

28

hwmodel

GPU Hardware Model

String

29

oemid

Firmware Manufacture Id

String

30

ueid

Universal Entity Id

String

31

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

comparison-successful / comparison-fail

32

x-nvidia-eat-ver

EAT version for NVIDIA GPU Claims

string

34

x-nvidia-gpu-uuid

UUID of the GPU.

String

35

x-nvidia-mismatch-measurement-records

Mismatched measurement indices along with measurement value for runtime and golden measurements

Object

36

x-nvidia-mismatch-indexes

List of indexes which have measurement mismatches

Object

Reporting an issue to Nvidia#

If the remediations above do not help users fix the problems, they can report their issues at NVIDIA/nvtrust#issues.