Configuring attestation#
Attestation context#
When using the high level API, attestation context APIs is used to configure the behaviour of attestation.
Relying party policy#
Customers can specify relying party policy using the rego language. The input to this policy will be a json list of claims, generated from verifying the device evidence. The schema of the json body is documented here.
The claims JSON is a list of objects where each object is the device claim - for example:
[
{
"#gpu-0 claims"
},
{
"#gpu-1 claims"
},
{
"#switch-0 claims"
}
]
Each GPU claim looks like this:
{
"x-nvidia-device-type": "gpu",
"x-nvidia-gpu-driver-rim-schema-validated": true,
"x-nvidia-gpu-vbios-rim-signature-verified": true,
"x-nvidia-gpu-vbios-rim-fetched": true,
"x-nvidia-gpu-driver-rim-version-match": true,
"x-nvidia-gpu-attestation-report-nonce-match": true,
"x-nvidia-gpu-vbios-index-no-conflict": true,
"secboot": true,
"x-nvidia-gpu-driver-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2027-02-26T22:03:02Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-vbios-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2027-04-23T23:45:54Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-attestation-report-parsed": true,
"x-nvidia-gpu-attestation-report-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-gpu-driver-rim-signature-verified": true,
"x-nvidia-gpu-arch-check": true,
"x-nvidia-gpu-vbios-rim-version-match": true,
"x-nvidia-attestation-warning": null,
"x-nvidia-gpu-driver-version": "575.32",
"x-nvidia-gpu-driver-rim-measurements-available": true,
"x-nvidia-gpu-attestation-report-signature-verified": true,
"x-nvidia-gpu-driver-rim-fetched": true,
"x-nvidia-gpu-attestation-report-cert-chain-fwid-match": true,
"measres": "success",
"x-nvidia-gpu-vbios-version": "97.00.88.00.0F",
"x-nvidia-gpu-vbios-rim-measurements-available": true
}
Each switch claim looks like this:
{
"x-nvidia-device-type": "nvswitch",
"x-nvidia-switch-bios-rim-fetched": true,
"x-nvidia-switch-bios-rim-signature-verified": true,
"x-nvidia-switch-attestation-report-cert-chain-fwid-match": true,
"x-nvidia-switch-attestation-report-signature-verified": true,
"x-nvidia-switch-bios-rim-version-match": true,
"x-nvidia-switch-attestation-report-parsed": true,
"x-nvidia-switch-attestation-report-nonce-match": true,
"x-nvidia-switch-attestation-report-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "9999-12-31T23:59:59Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-switch-arch-check": true,
"secboot": true,
"x-nvidia-switch-bios-rim-cert-chain": {
"x-nvidia-cert-status": "valid",
"x-nvidia-cert-ocsp-status": "good",
"x-nvidia-cert-expiration-date": "2026-05-20T17:59:06Z",
"x-nvidia-cert-revocation-reason": null
},
"x-nvidia-attestation-warning": null,
"hwmodel": "LS_10 A01 FSP BROM",
"measres": "success",
"x-nvidia-switch-bios-version": "96.10.55.00.01"
}
See the claims schema to understand what these claims mean.
This is an example rego policy which assumes the above input:
package policy
import future.keywords.every
default nv_match := false
nv_match {
every result in input {
result["x-nvidia-device-type"] == "gpu"
result.measres
}
};
This policy checks that each claim is from a GPU and that all the measurements are matching with the expected values.
The policy must in package policy i.e import policy.
A rule nv_match must be written, which must be a boolean. This rule will be evaluated and if the
result is not true, attestation will be considered as failed i.e nvat_attest_device()
will return NVAT_RC_RP_POLICY_MISMATCH.
See User guide for an example on setting a custom rego policy.
Evidence policy#
The following rego policy (part of the evidence policy) is used to evaluate the overall attestation result
package policy
import future.keywords.every
default nv_match := false
nv_match {
count(input) > 0
every claim in input {
validate_claim_by_device_type(claim)
}
}
validate_claim_by_device_type(claim) {
claim["x-nvidia-device-type"] == "gpu"
validate_gpu_claims(claim)
}
validate_claim_by_device_type(claim) {
claim["x-nvidia-device-type"] == "nvswitch"
validate_switch_claims(claim)
}
validate_gpu_claims(claims) {
check_measurements_match(claims)
check_gpu_ar_cert_chain(claims)
check_gpu_driver_rim_cert_chain(claims)
check_gpu_vbios_rim_cert_chain(claims)
}
validate_switch_claims(claims) {
check_measurements_match(claims)
check_switch_ar_cert_chain(claims)
check_switch_bios_rim_cert_chain(claims)
}
check_measurements_match(claims) {
claims.measres == "success"
}
check_gpu_ar_cert_chain(claims) {
cert_chain := claims["x-nvidia-gpu-attestation-report-cert-chain"]
cert_chain["x-nvidia-cert-status"] == "valid"
cert_chain["x-nvidia-cert-ocsp-status"] == "good"
cert_chain["x-nvidia-cert-ocsp-nonce-matches"] == true
cert_chain["x-nvidia-cert-ocsp-response-valid"] == true
}
check_gpu_driver_rim_cert_chain(claims) {
cert_chain := claims["x-nvidia-gpu-driver-rim-cert-chain"]
cert_chain["x-nvidia-cert-status"] == "valid"
cert_chain["x-nvidia-cert-ocsp-status"] == "good"
cert_chain["x-nvidia-cert-ocsp-nonce-matches"] == true
cert_chain["x-nvidia-cert-ocsp-response-valid"] == true
}
check_gpu_vbios_rim_cert_chain(claims) {
cert_chain := claims["x-nvidia-gpu-vbios-rim-cert-chain"]
cert_chain["x-nvidia-cert-status"] == "valid"
cert_chain["x-nvidia-cert-ocsp-status"] == "good"
cert_chain["x-nvidia-cert-ocsp-nonce-matches"] == true
cert_chain["x-nvidia-cert-ocsp-response-valid"] == true
}
check_switch_ar_cert_chain(claims) {
cert_chain := claims["x-nvidia-switch-attestation-report-cert-chain"]
cert_chain["x-nvidia-cert-status"] == "valid"
cert_chain["x-nvidia-cert-ocsp-status"] == "good"
cert_chain["x-nvidia-cert-ocsp-nonce-matches"] == true
cert_chain["x-nvidia-cert-ocsp-response-valid"] == true
}
check_switch_bios_rim_cert_chain(claims) {
cert_chain := claims["x-nvidia-switch-bios-rim-cert-chain"]
cert_chain["x-nvidia-cert-status"] == "valid"
cert_chain["x-nvidia-cert-ocsp-status"] == "good"
cert_chain["x-nvidia-cert-ocsp-nonce-matches"] == true
cert_chain["x-nvidia-cert-ocsp-response-valid"] == true
}
The overall result is part of the detached eat nvat_get_detached_eat_es384(). It can also be inferred by the return values of
the verify functions nvat_verify_gpu_evidence(), nvat_verify_switch_evidence() and nvat_attest_device().
The relying party will need to ignore that result and
provide their own rego policy if they want to use a different policy to evalute the overall result
nvat_apply_relying_party_policy() can be used in that case. The customer rego policy must be
carefully written (recommended to use the above policy as a reference) to make sure no
critical checks are being skipped.
The evidence policy (and thus the default rego policy used to evaluate the overall result) cannot be modified.