Introduction – NVIDIA Attestation CLI#

nvattest is a command‑line tool built on the NVIDIA Attestation SDK to collect device attestation evidence and verify integrity for NVIDIA GPUs and Switches.

It supports:

  • Collecting evidence from live devices (via NVML for GPUs and NSCQ for Switch)

  • Verifying locally or via a remote verifier

  • Supplying pre‑serialized evidence from files (for offline/replay workflows)

  • Applying a custom Relying Party policy (Rego)

  • Emitting JSON output suitable for automation, with meaningful exit codes

Subcommands#

version#

Displays CLI version information as JSON.

nvattest version
# {
#   "nvattest": "1.0"
# }

attest#

Runs attestation and prints results as JSON.

Options:

  • --device {gpu|switch} (default: gpu)

  • --verifier {local|remote} (default: local)

  • --gpu-evidence <path>: JSON evidence file to use instead of NVML

  • --switch-evidence <path>: JSON evidence file to use instead of NSCQ

  • --relying-party-policy <path>: Rego policy file

  • --rim-url: Base URL for the NVIDIA RIM service (e.g.: https://rim.attestation.nvidia.com)

  • --ocsp-url: Base URL for the OCSP responder (e.g.: https://ocsp.ndis.nvidia.com)

  • --nras-url: Base URL for the NVIDIA Remote Attestation Service (e.g.: https://nras.attestation.nvidia.com)

Behavior:

  • If no --gpu-evidence/--switch-evidence files are provided, the CLI enables corresponding device drivers and collects live evidence.

  • When provided, evidence files replace live collection for that device class.

  • If a Rego policy is supplied, attestation will fail with a specific exit code when the policy does not match.

Output#

Prints a JSON document to stdout. At a minimum it includes:

  • claims: the attestation claims as a JSON array (one entry per device)

  • result_code: NVAT SDK return code

  • result_message: NVAT SDK return code string

Example output (truncated):

{
  "claims": [
    {
      "x-nvidia-device-type": "gpu",
      "secboot": true,
      "x-nvidia-gpu-driver-version": "575.32"
      // ...
    }
  ],
  "result_code": 0,
  "result_message": "Ok"
}

See the SDK’s claims schema for the complete shape of the claims: docs/nv-attestation-sdk-c/claims_schema.md.

Example CLI commands#

  • Local GPU attestation:

nvattest attest --device gpu --verifier local

  • Attest using pre‑collected GPU evidence and a custom policy:

nvattest attest \
  --gpu-evidence ./path/to/gpu_evidence.json \
  --relying-party-policy ./path/to/policy.rego

  • Rego policy example:

package policy
import future.keywords.every
default nv_match := false
nv_match {
  every result in input {
    result["x-nvidia-device-type"] == "gpu"
    result.secboot
    result.dbgstat == "disabled"
  }
}

Refer to the Installation and Development docs for dependency setup, building, and configuration.