Appendix C. Component Responsibilities and Interfaces#
Table 13: Component Responsibilities
Component |
Generic role |
Reference implementation |
|---|---|---|
TEE-capable CPU |
VM-based trusted execution |
AMD SEV-SNP or Intel TDX on a validated server platform |
CC-capable GPU |
GPU attestation, secure GPU session, GPU memory protection |
NVIDIA GPU with CC mode enabled |
Secure platform firmware |
Secure boot, CPU TEE, IOMMU, memory encryption, device attestation |
Validated BIOS/UEFI and device firmware |
Host operating system |
Bare-metal OS for hardware, devices, networking, and CVM launch stack |
Linux host |
CVM launch stack |
Hypervisor, virtual firmware, device-assignment path for measured guest launch |
KVM/QEMU, OVMF, VFIO |
Confidential VM image |
Model-provider-controlled guest with inference server, bootstrap, attestation client, minimal runtime |
Locked-down Ubuntu guest |
Attestation verifier |
Validates CPU, GPU, guest, firmware, nonce, and policy evidence |
Attestation verifier |
Key broker or KMS |
Releases or unwraps model keys after attestation and policy evaluation |
Key broker or KMS/HSM workflow |
Encrypted model artifact store |
Stores model artifacts without exposing unencrypted artifacts to the host |
Registry, object store, or encrypted volume |
Inference endpoint |
Narrow HTTPS endpoint exposed by the CVM to approved callers |
HTTPS model service behind gateway or load balancer |
Table 14: Component Interfaces
Interface |
Producer |
Consumer |
Requirement |
Required operator signal |
|---|---|---|---|---|
CVM launch |
Host launch stack or orchestrator |
Platform operator, verifier |
Image ID, OVMF, kernel arguments, TEE flags, device passthrough, vCPU/memory profile, disk, network devices |
Launch success/failure naming the missing or unsupported setting |
Attestation evidence |
Guest attestation client and GPU attestation component |
Attestation verifier and key broker |
Evidence formats, nonce/freshness rules, CPU TEE claims, GPU claims, guest-image and approved launch-configuration measurements |
Pass/fail decision with claim, collateral, or reference-value reason |
Reference values |
Reference value or policy store |
Verifier, key broker, model provider |
Measurement registration process, policy version, collateral source, expiry and revocation handling |
Policy version and reference-value ID in logs and audits |
Key release |
Key broker and KMS/HSM |
CVM guest bootstrap or workload |
Secret identity, requester identity, allowed measurements, release channel, audit fields |
Release, deny, or dependency error with key ID, request ID, policy version |
Artifact access |
Registry, object store, or encrypted volume |
CVM guest workload |
Artifact digest, encryption method, signature/provenance, fetch identity, cache behavior |
Fetch/decrypt success or denial without payload exposure |
Service endpoint |
CVM, gateway, firewall/load balancer |
Enterprise clients, platform operator |
HTTPS endpoint, health endpoint, certificates, DNS, allowed callers, blocked admin ports |
Connection, health, or certificate error naming the boundary without exposing payloads |
Observability |
Host, CVM guest, verifier, KMS/HSM, GPU components |
Platform operator, SIEM, security team |
Event schema, severity, correlation ID, retention, escalation path |
Error class, request ID, policy version, component ID; no prompts, responses, keys, or model data |