NVIDIA Attestation SDK (NVAT)

NVAT (NVIDIA Atttestation SDK) is an open-source C++ SDK that provides resources for implementing and validating Trusted Computing Solutions on NVIDIA hardware. It focuses on attestation, a crucial aspect of ensuring the integrity and security of confidential computing environments.

The core SDK is written in C++ and wrapped with a C API and CLI, with more bindings to come.

Project Status

This project is the successor of the Python-based guest tools in nvTrust. NVAT provides utilities suitable for a broader range of environments and use-cases.

Components

NVAT provides two components for different use cases:

• CLI (nvattest): For quick testing, scripts, and getting started. Documentation

• C API: For integrating attestation into C/C++ applications. Documentation

Quick Start Guide for the CLI (nvattest)

Prerequisites

• A supported NVIDIA GPU connected to a CVM. See NVIDIA Trusted Computing Solutions for deployment guides covering Intel TDX and AMD SNP.

• The above CVM must be running Ubuntu 22.04 or 24.04.

• The CVM must have the NVIDIA Management Library (NVML) installed. See Driver Installation.

CLI Installation

The steps below must be performed in a CVM connected to an NVIDIA GPU. See Prerequisites above.

Option 1: Package

Navigate to NVIDIA Attestation SDK Downloads and select the desired architecture and operating system.

Currently only x86-64 is supported for Ubuntu 22.04 and 24.04. Support for aarch64 and additional operating systems is on our immediate roadmap.

Option 2: Source Installation

1. Install the Rust compiler. See rustup

2. Install additional build dependencies:

   apt update && \
   apt install cmake git pkg-config clang \
       libcurl4-openssl-dev libssl-dev libxml2-dev \
       libxmlsec1-dev libxmlsec1-openssl
   

3. Install the CLI:

   git clone https://github.com/NVIDIA/attestation-sdk.git
   cd attestation-sdk/nv-attestation-cli
   cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
   cmake --build build
   cmake --install build
   sudo ldconfig
   

Attestation

Attest the GPU(s) attached to your CVM with the following command:

nvattest attest --device gpu --verifier local

Use --help to view all the options associated with the attest subcommand:

nvattest attest --help

Using the C API

To get started with the C API, refer to the documentation in the SDK introduction.

GPU ready state

Note: This is only required when Confidential Computing is enabled.

Based on attestation results and the associated appraisal policy, the GPU can be transitioned to the Ready state. The GPU is not automatically marked Ready after attestation. The user or control plane must explicitly set the Ready state before the GPU can be used for workloads.

sudo nvidia-smi conf-compute -srs 1

nvidia-smi documentation can be found here

Documentation

• CLI introduction

• SDK introduction

• NVIDIA Confidential Computing

• NVIDIA Attestation Suite

License

This repository is licensed under Apache License v2.0 except where otherwise noted.

This project will download and install additional third-party open source software projects. Review the license terms of these open source projects before use.

Support

For issues or questions, please raise an issue on GitHub. For additional support, contact us at attestation-support@nvidia.com.