Developer Setup#

This document explains how to build, run, and extend the CLI during development. The CLI depends on the NVIDIA Attestation SDK in nv-attestation-sdk-cpp and uses it as a CMake subdirectory.

Dev environment#

You can reuse the SDK’s containerized environment for dependencies and tooling. See docs/nv-attestation-sdk-c/development.md for details on the Docker‑based workflow and helper scripts.

Minimal local setup:

  • CMake 3.11+

  • C++14 compiler

  • spdlog development package

Build the CLI#

cd nv-attestation-cli
cmake -S . -B build
cmake --build build
cmake --install build
sudo ldconfig

CMake Available Options#

-DSANITIZER=[address|thread|undefined|leak|OFF] (Default: OFF)

  • OFF: Perform a normal build with no sanitizer

  • <other>: Compile with the selected sanitizer

-DENABLE_NVML=[ON|OFF] (Default: ON)

  • ON: Enables NVML support and GPU-specific attestation features

  • OFF: Disables NVML support (e.g., for local dev or build pipeline)

-DENABLE_NSCQ=[ON|OFF] (Default: ON)

  • ON: Enables NSCQ support and SWITCH-specific attestation features

  • OFF: Disables NSCQ support (e.g., for local dev or build pipeline)

Note: When configuring the CLI from this directory, -DENABLE_NVML and -DENABLE_NSCQ are forwarded to the SDK subproject (nv-attestation-sdk-cpp), so the SDK is built with the same features enabled or disabled.

Run the CLI:

nvattest --help
nvattest version
nvattest attest --device gpu --verifier local

Command structure#

The CLI is defined in nv-attestation-cli/main.cpp using CLI11.

  • Subcommands:

    • version

    • attest

attest options:

  • --device {gpu|switch} (default: gpu)

  • --verifier {local|remote} (default: local)

  • --gpu-evidence <path>: JSON evidence file to use instead of NVML

  • --switch-evidence <path>: JSON evidence file to use instead of NSCQ

  • --relying-party-policy <path>: Rego policy file

  • --rim-url: Base URL for the NVIDIA RIM service (Eg: https://rim.attestation.nvidia.com)

  • --ocsp-url: Base URL for the OCSP responder (Eg: https://ocsp.ndis.nvidia.com)

  • --nras-url: Base URL for the NVIDIA Remote Attestation Service (Eg: https://nras.attestation.nvidia.com)

Custom policy#

Supply a Rego file that defines package policy and a boolean rule nv_match. If nv_match evaluates to false, the command exits with code 2.

Example rego policy:

package policy
import future.keywords.every
default nv_match := false
nv_match {
  every result in input {
    result["x-nvidia-device-type"] == "gpu"
    result.secboot
    result.dbgstat == "disabled"
  }
}

Pass it with:

nvattest attest --relying-party-policy ./path/to/policy.rego

Evidence files#

Instead of live collection, provide JSON evidence files produced earlier or by another system:

nvattest attest --gpu-evidence ./path/to/gpu_evidence.json
nvattest attest --switch-evidence ./path/to/switch_evidence.json

When either evidence file is provided, the CLI will not call NVML/NSCQ for that device class.

Making changes#

  • Add new options in attest.cpp (update create_attest_subcommand) and handle behavior in attest().

  • Keep output stable and structured; add fields under the top‑level JSON rather than changing shapes.

  • Prefer meaningful exit codes. Use NVAT SDK error codes to populate result_code/result_message.

Testing#

The tests folder contains all the tests. They are a combination of “unit tests” and “integration tests” (i.e they will call into the actual hardware instead of using mock evidence).

This is controlled by environment variables. See here for environment variables used by the tests. If running integration tests, care must be taken that the SDK is built with NVML/NSCQ

The tests cmake file also copies over the testdata to the build folder so that the tests can refer to the test data by the relative path. This copying is done when CMake is configured, for e.g when cmake .. -DBUILD_TESTING=ON is run. Usually when developing this configuration is done only once and every time a change is made, the build cmake command is run directly i.e cmake --build . therefore care must be taken that if any new files are added or if the test data directory is modified in any way the cmake configuration command has to be run again so that the folder gets updated in the build directory.

The steps to build and run unit tests:

cd build
cmake .. -DBUILD_TESTING=ON
cmake --build .
ctest

A complete to run integration tests for gpu might look like (assuming the SDK was built with ENABLE_NVML=ON):

cd build
ENABLE_NSCQ=OFF ENABLE_NVML=ON TEST_MODE="integration" TEST_DEVICES="gpu" ctest -L cli -R CliTest.*

Environment variables controlling the test behaviour#

  • TEST_MODE (integration or unit)

  • TEST_DEVICES (gpu or nvswitch)

Run all the automated tests#

ctest

Following are useful ctest commands to conditionally execute automated tests:

## Run only unit tests
ctest -L cli

## Only run unit tests with "CliTest" in their name
ctest -L cli -R CliTest