Required Capabilities

A compliant implementation needs five things: a measured CVM image, CPU and GPU in confidential-computing, an attestation verifier, a key-management service (to host the keys and support secure key release), and logging services that records what happened without exposing what was processed.

Concretely it must:

• Launch the workload inside a measured CVM.

• Produce fresh attestation evidence for CPU, GPU, guest image, approved launch configuration, and firmware state.

• Release the model key only after evidence matches policy and includes a fresh verifier-provided nonce.

• Keep model keys out of host-visible storage and standard VM management paths.

• Keep model artifacts encrypted any time they’re outside the CVM.

• Fail closed when attestation evidence, reference values, policy, or collateral do not match.

• Audit attestation and key release without recording prompts, responses, model weights, keys, or customer data.

Any stack that produces equivalent evidence, enforces equivalent policy, and preserves the same trust boundaries satisfies the architecture. Component responsibilities and interfaces are in Appendix C.