Configuring attestation#
Attestation context#
When using the high level API, attestation context APIs is used to configure the behaviour of attestation.
Relying party policy#
Customers can specify relying party policy using the rego language. The input to this policy will be a json list of claims, generated from verifying the device evidence. The schema of the json body is documented here.
The claims JSON is a list of objects where each object is the device claim - for example:
[
{
"#gpu-0 claims"
},
{
"#gpu-1 claims"
},
{
"#switch-0 claims"
}
]
Each GPU claim looks like this:
{
"x-nvidia-device-type": "gpu",
"x-nvidia-gpu-driver-rim-schema-validated": true,
"x-nvidia-gpu-vbios-rim-signature-verified": true,
"x-nvidia-gpu-vbios-rim-fetched": true,
"x-nvidia-gpu-driver-rim-version-match": true,
"x-nvidia-gpu-attestation-report-nonce-match": true,
"x-nvidia-gpu-vbios-index-no-conflict": true,
"secboot": true,
"x-nvidia-gpu-driver-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2027-02-26T22:03:02Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-vbios-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2027-04-23T23:45:54Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-attestation-report-parsed": true,
"x-nvidia-gpu-attestation-report-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-driver-rim-signature-verified": true,
"x-nvidia-gpu-arch-check": true,
"x-nvidia-gpu-vbios-rim-version-match": true,
"x-nvidia-attestation-warning": null,
"x-nvidia-gpu-driver-version": "575.32",
"x-nvidia-gpu-driver-rim-measurements-available": true,
"x-nvidia-gpu-attestation-report-signature-verified": true,
"x-nvidia-gpu-driver-rim-fetched": true,
"x-nvidia-gpu-attestation-report-cert-chain-fwid-match": true,
"measres": "success",
"x-nvidia-gpu-vbios-version": "97.00.88.00.0F",
"x-nvidia-gpu-vbios-rim-measurements-available": true
}
Each switch claim looks like this:
{
"x-nvidia-device-type": "nvswitch",
"x-nvidia-switch-bios-rim-fetched": true,
"x-nvidia-switch-bios-rim-signature-verified": true,
"x-nvidia-switch-attestation-report-cert-chain-fwid-match": true,
"x-nvidia-switch-attestation-report-signature-verified": true,
"x-nvidia-switch-bios-rim-version-match": true,
"x-nvidia-switch-attestation-report-parsed": true,
"x-nvidia-switch-attestation-report-nonce-match": true,
"x-nvidia-switch-attestation-report-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-switch-arch-check": true,
"secboot": true,
"x-nvidia-switch-bios-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2026-05-20T17:59:06Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-attestation-warning": null,
"hwmodel": "LS_10 A01 FSP BROM",
"measres": "success",
"x-nvidia-switch-bios-version": "96.10.55.00.01"
}
See the claims schema to understand what these claims mean.
The attestation context uses a default relying party policy:
package policy
import future.keywords.every
default nv_match := false
# Check if all certificate chain claims have valid status for GPU devices
gpu_certs_valid(result) {
result["x-nvidia-gpu-attestation-report-cert-chain"]["x-nvidia-cert-status"] == "valid"
result["x-nvidia-gpu-driver-rim-cert-chain"]["x-nvidia-cert-status"] == "valid"
result["x-nvidia-gpu-vbios-rim-cert-chain"]["x-nvidia-cert-status"] == "valid"
}
# Check if all certificate chain claims have valid status for Switch devices
switch_certs_valid(result) {
result["x-nvidia-switch-attestation-report-cert-chain"]["x-nvidia-cert-status"] == "valid"
result["x-nvidia-switch-bios-rim-cert-chain"]["x-nvidia-cert-status"] == "valid"
}
nv_match {
every result in input {
result["measres"] == "success"
# Apply device-specific certificate validation
result["x-nvidia-device-type"] == "gpu"
gpu_certs_valid(result)
}
}
nv_match {
every result in input {
result["measres"] == "success"
# Apply device-specific certificate validation
result["x-nvidia-device-type"] == "nvswitch"
switch_certs_valid(result)
}
}
This policy makes sure that all the measurements were matching between the device evidence and the RIM file and that all the certificates in the evidence and RIM files certificate chains are all valid.
You can write your own rego policy to replace this. The policy must in package policy i.e import policy.
A rule nv_match must be written, which must be a boolean. This rule will be evaluated and if the
result is not true, attestation will be considered as failed i.e nvat_attest_system()
will return NVAT_RC_RP_POLICY_MISMATCH.
See here for an example on setting a custom rego policy.
Evidence policy#
These policies influence the security posture of the claims creation and allow the user to relax the said security posture. The attestation context uses a default evidence policy with the recommended settings.
The available settings are:
Skipping nonce check between OCSP request and OCSP response from the OCSP responder when checking the OCSP status:
nvat_evidence_policy_set_ocsp_check_nonce()(set this to false. default: true)Allow certificates whose OCSP status is
revokedwith the reasoncert hold:nvat_evidence_policy_set_ocsp_allow_cert_hold()(set this to true. default: false)Skipping rim file signature verification:
nvat_evidence_policy_set_verify_rim_signature()(default: true)