Switch System Attestation View
This section describes the high-level view of attestation as implemented in a GB200 NVL switch system.
The cryptographic identity used for attestation is stored either in an external Root-of-Trust (eRoT), an internal Root-of-Trust (iRoT), or a TPM 2.0 device, depending on the specific entity performing the attestation.
This identity consists of a private asymmetric key that signs the measurements created by the attester. These keys are only known to and accessible by the attesting entities themselves. For each identity key, NVIDIA provides a certificate chain that is anchored in an NVIDIA Certificate Authority (CA).
The following tables detail all attesting entities, their attestation method, and the cryptographic algorithms used for attestation.
Attesting Entity | Content Being Attested | Attestation Method and/or Protocol | Measurement Hash Algorithm(s) Available | Measurement Signature Algorithm(s) Available |
BMC eRoT | BMC Image | SPDM v1.1 over MCTP | SHA-384 | ECDSA P-384 |
FPGA eRoT | FPGA Bitstream | SPDM v1.1 over MCTP | SHA-384 | ECDSA P-384 |
COMex CPU UEFI eRoT | CPU UEFI Binary | SPDM v1.1 over MCTP | SHA-384 | ECDSA P-384 |
NVSwitch eRoT | NVSwitch Firmware Image | SPDM v1.1 over MCTP | SHA-384 | ECDSA P-384 |
COMex CPU TPM | NVOS Bootloaders and UEFI Settings | Signed TPM Quotes | SHA-384 | ECDSA P-384 |
The attestation process on the Switch Tray is divided into two parts. SPDM-based attestation gathers SPDM measurements from the eRoTs linked to different board components, while TPM-based attestation measures the NVOS bootloader chain and a portion of the UEFI configuration.
The diagram below provides a visual representation of the components involved in Switch Tray attestation. Please note that these diagrams are not hardware schematics, but rather a high-level overview of the components involved in and covered by the attestation process. Some hardware connectivity details have been omitted for clarity and simplicity.
Each component equipped with an eRoT contains two flash storage units for its binary image. The eRoT is responsible for providing attestation services for the contents of both flashes. Additionally, each eRoT has two internal flash regions that store its firmware, and these are also included in the measurements provided by the eRoT.
Obtaining measurements involves two steps:
A central aggregator (such as a BMC) gathers measurements from one or more attesting entities. This step occurs internally within the system and is not visible to the external verifier, who interacts only with the central aggregator.
The external verifier remotely retrieves the measurements from the central aggregator using a protocol.
SPDM-Based Measurements
For all eRoT and iRoT-based attesting entities on a switch tray, the protocol used to transmit measurements to a centralized point within the system is SPDM v1.1. In the SPDM protocol, the attesting entities are referred to as SPDM Responders.
On the Switch Tray, the BMC acts as the collection point for SPDM-based measurements. To retrieve the measurements from the BMC, you can use the DMTF Redfish APIs under the ComponentIntegrity schema. The BMC is equipped with a dedicated management RJ-45 Ethernet connection where the Redfish server listens for incoming connections. Authentication against the Redfish server (using standard Redfish mechanisms) is required to access the measurements.
In addition to obtaining measurements from the BMC, you can also retrieve measurements from all eRoTs through the NVUE API or the NVUE CLI.
The following diagram illustrates both attestation paths:
BMC API
The BMC API uses the standard Redfish ComponentIntegrity methodology to provide measurements to the remote. ComponentIntegrity requires authentication against the Redfish server, and following authentication, is accessible at:
/redfish/v1/ComponentIntegrity
Issuing a GET to this URI will provide a list of component IDs that can be targeted for attestation actions. The output is similar to the following:
{
"@odata.id": "/redfish/v1/ComponentIntegrity",
"@odata.type": "#ComponentIntegrityCollection.ComponentIntegrityCollection",
"Members": [
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_BMC_0"
},
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_CPU_0"
},
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_FPGA_0"
},
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_NVSwitch_0"
},
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_NVSwitch_1"
}
],
"Members@odata.count": 5,
"Name": "ComponentIntegrity Collection"
}
Each of the SPDM responders on the tray are accessible with a Redfish GET method at:
/redfish/v1/ComponentIntegrity/{ComponentIntegrityId}
For example, issuing a request for the BMC eRoT results in something similar to:
{
"@odata.id": "/redfish/v1/ComponentIntegrity/MGX_ERoT_BMC_0",
"@odata.type": "#ComponentIntegrity.v1_0_0.ComponentIntegrity",
"Actions": {
"#ComponentIntegrity.SPDMGetSignedMeasurements": {
"@Redfish.ActionInfo": "/redfish/v1/ComponentIntegrity/MGX_ERoT_BMC_0/SPDMGetSignedMeasurementsActionInfo",
"target": "/redfish/v1/ComponentIntegrity/MGX_ERoT_BMC_0/Actions/ComponentIntegrity.SPDMGetSignedMeasurements"
}
},
"ComponentIntegrityEnabled": true,
"ComponentIntegrityType": "SPDM",
"ComponentIntegrityTypeVersion": "unknown",
"Id": "MGX_ERoT_BMC_0",
"Links": {
"ComponentsProtected": [
{
"@odata.id": "/redfish/v1/Managers/BMC_0"
}
]
},
"Name": "SPDM Integrity for MGX_ERoT_BMC_0",
"SPDM": {
"IdentityAuthentication": {
"ResponderAuthentication": {
"ComponentCertificate": {
"@odata.id": "/redfish/v1/Chassis/MGX_ERoT_BMC_0/Certificates/CertChain"
}
}
},
"Requester": {
"@odata.id": "/redfish/v1/Managers/BMC_0"
}
},
"TargetComponentURI": "/redfish/v1/Chassis/MGX_ERoT_BMC_0"
}
The ComponentCertificate property above can be used to obtain the certificate chain matching a specific component. In general, the SPDM certificate chain of an eRoT is obtainable with a GET method to:
/redfish/v1/Chassis/{ComponentIntegrityId}/Certificates/CertChain
This will return the certificate chain provided by the eRoT via the SPDM GET_CERTIFICATE command, specifically targeting certificate slot 0, which contains the NVIDIA certificate chain.
To retrieve the measurements from a component, use the following Redfish Action URI. Issue a POST request to initiate the measurement collection:
{Base URI of target}/Actions/ComponentIntegrity.SPDMGetSignedMeasurements
The parameters provided for this action are standard (please refer to the Redfish schema documentation linked at the beginning of this document) and include a nonce, a certificate slot ID, and the requested measurements. To issue this command to the Switch Tray BMC, use the following values:
nonce = Generated and supplied by the entity invoking the Redfish Action
Certificate Slot ID = 0 (Slot 0 contains the NVIDIA certificate chain)
Requested Measurements = 0xFF (requests all measurements)
Measurement collection is asynchronous. Once you submit a request for measurements to the BMC, a task is created to gather the measurements. The URL for checking the task status is included in the response to the SPDMGetSignedMeasurements Action invocation. For example:
{
"@odata.id": "/redfish/v1/TaskService/Tasks/0",
"@odata.type": "#Task.v1_4_3.Task",
"Id": "0",
"TaskState": "Running",
"TaskStatus": "OK"
}
In general, the URI follows this format:
/redfish/v1/TaskService/Tasks/<Spawned Task ID>
Sending a GET request to this URI will provide a status update on the task. Once the task indicates completion, the attestation measurements will be available.
To retrieve the measurements, send a GET request to:
/redfish/v1/ComponentIntegrity/{ComponentIntegrityID}/Actions/ComponentIntegrity.SPDMGetSignedMeasurements/data
The result is in the following format:
{
"HashingAlgorithm": "TPM_ALG_SHA_384",
"SignedMeasurements": "<Base64 Encoding of the Signed Measurement Blob>”
"SigningAlgorithm": "TPM_ALG_ECDSA_ECC_NIST_P384",
"Version": "1.1.0"
}
NVUE API and CLI
The eRoT SPDM attestation results can also be accessed via the NVUE API and NVUE CLI.
The CLI commands to retrieve measurements and certificates are as follows:
Show Attestable Components
CLI Syntax | nv show system security spdm | |
API URI | GET https://<system_hostname>/nvue_v1/system/security/spdm | |
Parameters | None | |
Notes | The result is a list of the components available for attestation.
| |
Generate Measurements
CLI Syntax | nv action generate system security spdm <component_id> [optional: nonce <nonce value>] | |
API URI | POST https://<system_hostname>/nvue_v1/ system/security/spdm/<component_id> | |
Parameters | component_id | The eRoT for which attestation is requested. The list of possible component IDs can be obtained by the Show Attestable Components command above. |
nonce | An optional parameter specifying the 256-bit nonce (provided as a hexadecimal string) to be signed together with the measurements by the SPDM responder. If not provided, a nonce is generated by the BMC. | |
Notes | This command initiates a task to generate the measurements. Once the task is complete, the measurements can be collected using the "show measurements" command. | |
Show Measurements
CLI Syntax | nv show system security spdm <component_id> measurements [optional: -ojson] | |
API URI | GET https://<system_hostname>/nvue_v1/ system/security/spdm/<component_id>/measurements | |
Parameters | component_id | The eRoT for which attestation is requested. Can be one of the following: · ERoT_BMC_0 · ERoT_CPU_0 · ERoT_FPGA_0 · ERoT_NVSwitch_0 · ERoT_NVSwitch_1 |
Notes | If “-o json” is specified the result is similar to the Redfish output:
Without “-o json” a text output will be provided, but some fields will be omitted as they cannot be displayed. | |
Show Certificate Chain
CLI Syntax | nv show system security spdm <component_id> certificates [optional: -ojson] | |
API URI | GET https://<system_hostname>/nvue_v1/ system/security/spdm/<component_id>/certificates | |
Parameters | component_id | The eRoT for which the certificate chain is requested. The list of possible component IDs can be obtained by the Show Certificate List command above. |
Notes | Without “-o json” a text output will be provided, but some fields will be omitted as they cannot be displayed. | |
TPM-Based Measurements
The TPM-based measurements stored in the COMex TPM can be retrieved through the NVUE APIs or the NVUE CLI. These APIs are accessible via the Switch Management Network, which consists of two dedicated RJ-45 network ports connected to the COMex CPU. TPM-based measurements are not available through the BMC.
As with retrieving SPDM measurements via the NVUE API, authentication is required to obtain TPM measurements using this method. For authentication details, refer to the NVOS User Guide.
The flow below involves encapsulating a signed TPM Quote over the REST API. In addition to the NVUE API, an admin user logged into NVOS can generate measurements using the NVUE CLI.
NVUE API and CLI
Get IAK Certificate / Get Quote results
CLI Syntax | nv action upload system security tpm <file: IAK/quotes> | |
API URI | Will be defined in NVUE user manual | |
Parameters | file | IAK.crt or quotes.json - IAK certificate or the prepared quote file. |
Notes | The result is a list of the components available to upload from the system: The IAK certificate or the quote.json file. | |
Get Quote
CLI Syntax | nv action generate system security tpm <pcr list> <nonce> algorithm <sha384> | |
API URI | Will be defined in NVUE user manual | |
Parameters | PCR List | The PCRs to be included in the quote |
Nonce | A random hex string | |
Algorithm (optional) | The algorithm for digesting the quote. Defaults to SHA384 | |
Notes | This action generates the quote that you can retrieve later with the above get command. | |