NVIDIA Docs Hub NVIDIA Networking Networking Software Adapter Firmware NVIDIA Device Attestation and CoRIM-based Reference Measurement Sharing v3.0 ConnectX-8 Certificates

ConnectX-8 Certificates

ConnectX-8 supports DICE attestation measurements, with its certificate chain stored in SPDM certificate slot 0. Additionally, the device allows customer certificate chains to be provisioned into other available slots.

The figure below illustrates the pre-provisioned attestation certificate chain for ConnectX-8. Certificates L1 through L3 are embedded within the device image, while certificate L4 is provisioned during manufacturing and securely stored in write-protected memory.

image-2025-1-21_11-37-51-version-1-modificationdate-1748509473800-api-v2.png

During the boot process, the ConnectX-8 hardware root of trust (HW-RoT) and secure privileged code generate additional runtime certificates, which are stored in volatile internal memory. The leaf certificate, L6, is used to sign SPDM measurements, with its corresponding private key. The complete certificate chain is returned in response to the SPDM GET_CERTIFICATE command and resides in SPDM certificate slot 0.

image-2025-1-21_11-40-10-version-1-modificationdate-1748509474220-api-v2.png

Certificates L5 and L6 contain evidence as x.509 certificate extensions in section 2.23.133.5.4.1, specifically TCG_DICE_FWID-0 and TCG_DICE_FWID-1, respectively.

TCG_DICE_FWID-0 contains a SHA2-384 hash of the hardware configuration and the first mutable firmware code.
TCG_DICE_FWID-1 contains a SHA2-384 hash of the runtime firmware code.

ConnectX-8 follows the TCG draft for Implicit Identity-Based Device Attestation Version 1.0, Revision 0.93. Therefore, ConnectX-8 places the TCG-DICE-FWID in the OID 2.23.133.5.4.1, which is technically reserved for TCG-DICE-TCBINFO according to the TCG OID registry.