Evidence Policy#

Settings to modify the behavior of a verifier.

Macros#

NVAT_GPU_CLAIMS_VERSION_V2

NVAT_GPU_CLAIMS_VERSION_V3

NVAT_SWITCH_CLAIMS_VERSION_V3

Functions#

nvat_rc_t nvat_evidence_policy_create_default(nvat_evidence_policy_t *policy)

Allocates a default evidence appraisal policy.

void nvat_evidence_policy_free(nvat_evidence_policy_t *evidence_policy)

nvat_rc_t nvat_evidence_policy_set_gpu_claims_version(nvat_evidence_policy_t policy, const nvat_gpu_claims_version_t version)

Set the expected claims version for GPU attestation results.

void nvat_evidence_policy_set_ocsp_allow_cert_hold(nvat_evidence_policy_t policy, bool allow_cert_hold)

Whether to allow certificate hold revocations.

void nvat_evidence_policy_set_ocsp_check_nonce(nvat_evidence_policy_t policy, bool check_nonce)

Whether to check OCSP nonces.

nvat_rc_t nvat_evidence_policy_set_switch_claims_version(nvat_evidence_policy_t policy, const nvat_switch_claims_version_t version)

Set the expected claims version for switch attestation results.

Typedefs#

nvat_evidence_policy_t

Settings to customize evidence verification.

nvat_gpu_claims_version_t

nvat_switch_claims_version_t

Functions#

nvat_rc_t nvat_evidence_policy_create_default(
nvat_evidence_policy_t *policy,
)#

Allocates a default evidence appraisal policy.

The default evidence policy requires that:

  • OCSP status must be “good”

  • OCSP nonce must match between the OCSP request and response

void nvat_evidence_policy_free(
nvat_evidence_policy_t *evidence_policy,
)#
nvat_rc_t nvat_evidence_policy_set_gpu_claims_version(
nvat_evidence_policy_t policy,
const nvat_gpu_claims_version_t version,
)#

Set the expected claims version for GPU attestation results.

void nvat_evidence_policy_set_ocsp_allow_cert_hold(
nvat_evidence_policy_t policy,
bool allow_cert_hold,
)#

Whether to allow certificate hold revocations.

RIM certificates revoked with the reason CERTIFICATE_HOLD indicate that the corresponding driver and/or firmware is a early-access software.

void nvat_evidence_policy_set_ocsp_check_nonce(
nvat_evidence_policy_t policy,
bool check_nonce,
)#

Whether to check OCSP nonces.

An OCSP nonce is used to guarantee the freshness of the revocation status returned by an OCSP server. Disabling the nonce is available for high-performance use cases that rely on cached OCSP responses.

Enabling OCSP over HTTPS is highly recommended if the nonce is disabled as this can partially mitigate the risk of OCSP replay attacks.

nvat_rc_t nvat_evidence_policy_set_switch_claims_version(
nvat_evidence_policy_t policy,
const nvat_switch_claims_version_t version,
)#

Set the expected claims version for switch attestation results.

Typedefs#

typedef struct nvat_evidence_policy_st *nvat_evidence_policy_t#

Settings to customize evidence verification.

typedef uint8_t nvat_gpu_claims_version_t#
typedef uint8_t nvat_switch_claims_version_t#