nvSwitch Claims#

Both Local and Remote nvSwitch verifiers will create the following claims:

Version 3.0#

Applicability: Attestation SDK CPP, Attestation SDK Python and NVIDIA Remote Attestation Service

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation result is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-switch-arch-check

The switch Architecture in the Attestation report e.g. LS10

String

2

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

3

x-nvidia-switch-bios-version

A string representing the switch BIOS Version e.g. 96.00.9F.00.01

String

4

x-nvidia-switch-attestation-report-cert-chain {

”x-nvidia-cert-expiration-date”: “DateinISO”,

”x-nvidia-cert-status”: “CertStatus”,

”x-nvidia-cert-ocsp-status”: “OCSPStatus”,

”x-nvidia-cert-ocsp-nonce-matches”: true/false,

”x-nvidia-cert-ocsp-response-valid”: true/false,

”x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. Attestation report certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has been revoked

3. Attestation report cert OCSP status - good, revoked, unknown

4. OCSP Nonce Matches: This field indicates if the nonce in the OCSP response matches the nonce sent in the OCSP request for all certificates in the attestation report certificate chain. This ensures the OCSP response is fresh and not a replay of a previous response.

5. OCSP Response Valid: This field indicates if the OCSP response is cryptographically valid, i.e., the OCSP responder’s signature has been verified and the responder is trusted for all certificates in the attestation report certificate chain.

6. Revocation Reason: If the attestation report certificate is revoked, this field contains the revocation reason

Nested Claims

5

x-nvidia-switch-attestation-report-cert-chain-fwid-match

This claim indicates if the FWID of the certificate matches with the Attestation report.

true / false

6

x-nvidia-switch-bios-rim-cert-chain {

”x-nvidia-cert-expiration-date”: “DateinISO”,

”x-nvidia-cert-status”: “CertStatus”,

”x-nvidia-cert-ocsp-status”: “OCSPStatus”,

”x-nvidia-cert-ocsp-nonce-matches”: true/false,

”x-nvidia-cert-ocsp-response-valid”: true/false,

”x-nvidia-cert-revocation-reason”: “RevocationReason”
}

This claim indicates the following:
1. Expiration date: This field indicates the certificate’s expiration date in ISO 8601 format.

2. BIOS rim certificate status
a. valid - The certificate is valid and not expired or revoked
b. expired - The certificate has expired
c. invalid - The certificate is not valid or unknown
d. revoked - The certificate has been revoked

3. BIOS rim cert OCSP status - good, revoked, unknown

4. OCSP Nonce Matches: This field indicates if the nonce in the OCSP response matches the nonce sent in the OCSP request for all certificates in the BIOS RIM certificate chain. This ensures the OCSP response is fresh and not a replay of a previous response.

5. OCSP Response Valid: This field indicates if the OCSP response is cryptographically valid, i.e., the OCSP responder’s signature has been verified and the responder is trusted for all certificates in the BIOS RIM certificate chain.

6. Revocation Reason: If the BIOS rim certificate is revoked, this field contains the revocation reason

Nested Claims

7

x-nvidia-switch-bios-rim-version-match

This field indicates if the vbios rim file version matches the version fetched from the switch information.

true / false

8

x-nvidia-switch-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

9

x-nvidia-switch-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the switch while generating the report.

true / false

10

x-nvidia-switch-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

11

x-nvidia-switch-bios-rim-fetched

This field indicates if the verifier can fetch bios RIM from RIM service.

true / false

12

x-nvidia-switch-bios-rim-schema-validated

The bios RIM has been confirmed to be in accordance with the swid schema

true / false

13

x-nvidia-switch-bios-rim-signature-verified

This claim indicates if the VBIOS RIM signature is verified.

true / false

14

x-nvidia-switch-bios-rim-measurements-available

The bios Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

15

eat_nonce

Nonce used for the Attestation process

String

16

hwmodel

switch Hardware Model

String

17

ueid

Universal Entity Id

String

18

oemid

Firmware Manufacture Id

String

19

iss

EAT token issuer

String

20

x-nvidia-switch-pdi

NVSwitch physical data interface ID (optional)

String

21

x-nvidia-switch-gpu-pdis

Unique physical data interfaces from NVSwitches to GPUs (optional)

Array of Strings

22

secboot

Indicates if Secure Boot is enabled or disabled

true / false

23

dbgstat

Indicates if NVSwitch debug facilities are enabled or disabled

enabled / disabled

Version 2.0#

Applicability: Attestation SDK Python only and NVIDIA Remote Attestation Service

Overall Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-ver

Claims version

String

2

iss

Claims Issuer

String

3

x-nvidia-overall-att-result

This claim indicates if the overall attestation result is successful or failed.

true / false

4

sub

Subject of the claims

String

5

eat_nonce

Nonce used for the Attestation process

String

6

submods

Contains the digest of a detached Claims-Set

Object

Detached Claims

ID

Claim

Conditions for the Claim to be Valid

Values

1

x-nvidia-switch-arch-check

The switch Architecture in the Attestation report e.g. LS10

String

2

measres

The runtime measurements from the Reference Integrity Measurements (RIM) match the runtime measurements in the Attestation report.

success / fail

3

x-nvidia-switch-bios-version

A string representing the switch BIOS Version e.g. 96.00.9F.00.01

String

4

x-nvidia-switch-attestation-report-cert-chain-validated

This claim indicates if the following checks completed successfully for Attestation report certificate chain:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked
5. FWID of the certificate matches with the Attestation report

true / false

5

x-nvidia-switch-attestation-report-parsed

This claim indicates if the Attestation Report has been successfully parsed.

true / false

6

x-nvidia-switch-attestation-report-nonce-match

The nonce in the Attestation report matches with the initial input to the switch while generating the report.

true / false

7

x-nvidia-switch-attestation-report-signature-verified

The signature on the Attestation report is verified.

true / false

8

x-nvidia-switch-bios-rim-fetched

This field indicates if the verifier can fetch bios RIM from RIM service.

true / false

9

x-nvidia-switch-bios-rim-schema-validated

The bios RIM has been confirmed to be in accordance with the swid schema

true / false

10

x-nvidia-switch-bios-rim-cert-validated

This claim indicates if the following checks completed successfully for bios RIM:
1. Certificate chain is valid.
2. Certificate Chain belongs to NVIDIA PKI
3. Certificate is not expired
4. Certificate is not revoked.

true / false

11

x-nvidia-switch-bios-rim-signature-verified

For the claim to be valid, the following conditions must be met:
1. The bios RIM schema must be as expected.
2. The bios RIM certificate chain must be verified.
3. OCSP validation must pass for each certificate in the RIM certificate chain.
4. The bios RIM signature must be verified, and the bios version must match the version fetched from the switch information.

true / false

12

x-nvidia-switch-bios-rim-measurements-available

The bios Reference Integrity Measurement (RIM) and the measurements within it were successfully interpreted and understood.

true / false

13

eat_nonce

Nonce used for the Attestation process

String

14

hwmodel

switch Hardware Model

String

15

ueid

Universal Entity Id

String

16

oemid

Firmware Manufacture Id

String

17

iss

EAT token issuer

String

Reporting an issue to Nvidia#

If the remediations above do not help users fix the problems, they can report their issues at NVIDIA/nvtrust#issues.

On this page