Developer Setup#

This document explains how to build, run, and extend the CLI during development. The CLI depends on the NVIDIA Attestation SDK in nv-attestation-sdk-cpp and uses it as a CMake subdirectory.

Dev environment#

You can reuse the SDK’s containerized environment for dependencies and tooling. See SDK Development Guide for details on the Docker‑based workflow and helper scripts.

Minimal local setup:

  • CMake 3.11+

  • C++14 compiler

  • spdlog development package

Build the CLI#

cd nv-attestation-cli
cmake -S . -B build
cmake --build build
cmake --install build
sudo ldconfig

CMake Available Options#

-DSANITIZER=[address|thread|undefined|leak|OFF] (Default: OFF)

  • OFF: Perform a normal build with no sanitizer

  • <other>: Compile with the selected sanitizer

Run the CLI:

nvattest --help
nvattest version
nvattest attest --device gpu --verifier local
nvattest collect-evidence --device gpu

Command structure#

The CLI is defined in nv-attestation-cli/main.cpp using CLI11.

  • Subcommands:

    • version

    • attest

    • collect-evidence

Global Options:

  • --log-level: Sets the log level. Accepted values are: “trace”, “debug”, “info”, “warn”, “error”, “off”. Default is “warn”.

attest options (see nvattest attest -h for more information):

  • --device {gpu|nvswitch}: Device to attest. Default is gpu.

  • --nonce: Nonce for the attestation in hex format. If not provided, a nonce will be generated.

  • --verifier {local|remote} (default: local)

  • --gpu-evidence <path>: JSON evidence file to use instead of NVML

  • --switch-evidence <path>: JSON evidence file to use instead of NSCQ

  • --relying-party-policy <path>: Rego policy file

  • --rim-url: Base URL for the NVIDIA RIM service (Eg: https://rim.attestation.nvidia.com)

  • --ocsp-url: Base URL for the OCSP responder (Eg: https://ocsp.ndis.nvidia.com)

  • --nras-url: Base URL for the NVIDIA Remote Attestation Service (Eg: https://nras.attestation.nvidia.com)

  • --service-key: Service key used to authenticate remote service calls to attestation services. To obtain a service key, follow the NGC Onboarding Guide. collect-evidence options (see nvattest collect-evidence -h for more information):

  • --device {gpu|nvswitch}: Device to attest. Default is gpu.

  • --nonce: Nonce for the attestation in hex format. If not provided, a nonce will be generated.

Evidence files#

Instead of live collection, provide JSON evidence files produced earlier or by another system:

nvattest attest --device gpu --gpu-evidence ./path/to/gpu_evidence.json
nvattest attest --device nvswitch --switch-evidence ./path/to/switch_evidence.json

When either evidence file is provided, the CLI will not call NVML/NSCQ for that device class.

Making changes#

  • Keep output stable and structured; add fields under the top‑level JSON rather than changing shapes.

  • Prefer meaningful exit codes. Use NVAT SDK error codes to populate result_code/result_message.

Testing#

Prereqs#

  • Install GTest

git clone --depth 1 https://github.com/google/googletest.git -b v1.16.0 
&& cd googletest 
&& mkdir build 
&& cd build 
&& cmake .. 
&& cmake --build . --target install 
&& cd / 
&& rm -rf googletest

The tests folder contains all the tests. They are a combination of “unit tests” and “integration tests” (i.e they will call into the actual hardware instead of using mock evidence).

If running integration tests, care must be taken that the SDK is built with NVML/NSCQ

The steps to build and run unit tests:

cd build
cmake .. -DBUILD_TESTING=ON
cmake --build .
ctest

A complete command to run integration tests for gpu might look the following:

cd build
TEST_MODE="integration" TEST_DEVICES="gpu" NVAT_C_SDK_TEST_SERVICE_KEY="your-service-key" NVAT_RIM_SERVICE_BASE_URL="https://rim.attestation.nvidia.com" NVAT_OCSP_BASE_URL="https://ocsp.ndis.nvidia.com" NVAT_NRAS_BASE_URL="https://nras.attestation.nvidia.com" ctest -L cli -R CliTest.*

Environment variables controlling the test behaviour#

  • TEST_MODE (integration or unit)

  • TEST_DEVICES (gpu or nvswitch)

  • NVAT_C_SDK_TEST_SERVICE_KEY: Service key for authenticating with attestation services. Required for all unit and integration tests. To obtain a service key, follow the NGC Onboarding Guide.

    export NVAT_C_SDK_TEST_SERVICE_KEY="your-service-key-here"

Run all the automated tests#

ctest

Following are useful ctest commands to conditionally execute automated tests:

## Run only unit tests
ctest -L cli

## Only run unit tests with "CliTest" in their name
ctest -L cli -R CliTest