Configuring attestation

Attestation context

When using the high level API, attestation context APIs is used to configure the behaviour of attestation.

Relying party policy

Customers can specify relying party policy using the rego language. The input to this policy will be a json list of claims, generated from verifying the device evidence. The schema of the json body is documented here.

The claims JSON is a list of objects where each object is the device claim - for example:

[
    {
        "#gpu-0 claims"
    },
    {
        "#gpu-1 claims"
    },
    {
        "#switch-0 claims"
    }
]

Each GPU claim looks like this:

{
    "x-nvidia-device-type": "gpu",
    "x-nvidia-gpu-driver-rim-schema-validated": true,
    "x-nvidia-gpu-vbios-rim-signature-verified": true,
    "x-nvidia-gpu-vbios-rim-fetched": true,
    "x-nvidia-gpu-driver-rim-version-match": true,
    "x-nvidia-gpu-attestation-report-nonce-match": true,
    "x-nvidia-gpu-vbios-index-no-conflict": true,
    "secboot": true,
    "x-nvidia-gpu-driver-rim-cert-chain": {
      "x-nvidia-cert-status": "valid",
      "x-nvidia-cert-ocsp-status": "good",
      "x-nvidia-cert-expiration-date": "2027-02-26T22:03:02Z",
      "x-nvidia-cert-revocation-reason": null
    },
    "x-nvidia-gpu-vbios-rim-cert-chain": {
      "x-nvidia-cert-status": "valid",
      "x-nvidia-cert-ocsp-status": "good",
      "x-nvidia-cert-expiration-date": "2027-04-23T23:45:54Z",
      "x-nvidia-cert-revocation-reason": null
    },
    "x-nvidia-gpu-attestation-report-parsed": true,
    "x-nvidia-gpu-attestation-report-cert-chain": {
      "x-nvidia-cert-status": "valid",
      "x-nvidia-cert-ocsp-status": "good",
      "x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
      "x-nvidia-cert-revocation-reason": null
    },
    "x-nvidia-gpu-driver-rim-signature-verified": true,
    "x-nvidia-gpu-arch-check": true,
    "x-nvidia-gpu-vbios-rim-version-match": true,
    "x-nvidia-attestation-warning": null,
    "x-nvidia-gpu-driver-version": "575.32",
    "x-nvidia-gpu-driver-rim-measurements-available": true,
    "x-nvidia-gpu-attestation-report-signature-verified": true,
    "x-nvidia-gpu-driver-rim-fetched": true,
    "x-nvidia-gpu-attestation-report-cert-chain-fwid-match": true,
    "measres": "success",
    "x-nvidia-gpu-vbios-version": "97.00.88.00.0F",
    "x-nvidia-gpu-vbios-rim-measurements-available": true
}

Each switch claim looks like this:

{
    "x-nvidia-device-type": "nvswitch", 
    "x-nvidia-switch-bios-rim-fetched": true,
    "x-nvidia-switch-bios-rim-signature-verified": true,
    "x-nvidia-switch-attestation-report-cert-chain-fwid-match": true,
    "x-nvidia-switch-attestation-report-signature-verified": true,
    "x-nvidia-switch-bios-rim-version-match": true,
    "x-nvidia-switch-attestation-report-parsed": true,
    "x-nvidia-switch-attestation-report-nonce-match": true,
    "x-nvidia-switch-attestation-report-cert-chain": {
      "x-nvidia-cert-status": "valid",
      "x-nvidia-cert-ocsp-status": "good",
      "x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
      "x-nvidia-cert-revocation-reason": null
    },
    "x-nvidia-switch-arch-check": true,
    "secboot": true,
    "x-nvidia-switch-bios-rim-cert-chain": {
      "x-nvidia-cert-status": "valid",
      "x-nvidia-cert-ocsp-status": "good",
      "x-nvidia-cert-expiration-date": "2026-05-20T17:59:06Z",
      "x-nvidia-cert-revocation-reason": null
    },
    "x-nvidia-attestation-warning": null,
    "hwmodel": "LS_10 A01 FSP BROM",
    "measres": "success",
    "x-nvidia-switch-bios-version": "96.10.55.00.01"
}

See the claims schema to understand what these claims mean.

This is an example rego policy which assumes the above input:

  package policy
  import future.keywords.every
  default nv_match := false
  nv_match {
    every result in input {
      result["x-nvidia-device-type"] == "gpu"
      result.measres
    }
  };

This policy checks that each claim is from a GPU and that all the measurements are matching with the expected values.

The policy must in package policy i.e import policy. A rule nv_match must be written, which must be a boolean. This rule will be evaluated and if the result is not true, attestation will be considered as failed i.e nvat_attest_device() will return NVAT_RC_RP_POLICY_MISMATCH.

See here for an example on setting a custom rego policy.

Evidence policy

These policies influence the security posture of the claims creation and allow the user to relax the said security posture. The attestation context uses a default evidence policy with the recommended settings.

The available settings are:

• Skipping nonce check between OCSP request and OCSP response from the OCSP responder when checking the OCSP status: nvat_evidence_policy_set_ocsp_check_nonce() (set this to false. default: true)

• Allow certificates whose OCSP status is revoked with the reason cert hold: nvat_evidence_policy_set_ocsp_allow_cert_hold() (set this to true. default: false)