Skip to content

Commit a2aa3cc

Browse files
butler54claude
butler54
and
claude
committed
feat: add NVIDIA GPU attestation via NRAS remote verifier
- Add kbs.gpu.enabled value (default false) for GPU attestation support - Configure NRAS remote verifier when GPU enabled (kbs-config-map) - Add default_gpu.rego policy for NRAS x-nvidia-* claims - Add GPU-aware resource policy requiring both cpu0 and gpu0 affirming - Existing GPU rules in default_cpu.rego handle CPU-class + GPU evidence Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent da742ac commit a2aa3cc

4 files changed

Lines changed: 76 additions & 2 deletions

File tree

templates/attestation-policy.yaml

Lines changed: 59 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,4 +69,62 @@ data:
6969
input.init_data in query_reference_value("init_data")
7070
}
7171
hardware := 2 if { input["snp"] }
72-
configuration := 2 if { input["snp"] }
72+
configuration := 2 if { input["snp"] }
73+
{{- if .Values.kbs.gpu.enabled }}
74+
75+
##### GPU Attestation (NVIDIA H100/H200) — CPU-class evidence with GPU data
76+
hardware := 2 if {
77+
input["snp"]
78+
input["gpu"]
79+
}
80+
81+
executables := 3 if {
82+
input["snp"]
83+
input["gpu"]
84+
input.init_data in query_reference_value("init_data")
85+
}
86+
87+
configuration := 2 if {
88+
input["snp"]
89+
input["gpu"]
90+
}
91+
{{- end }}
92+
{{- if .Values.kbs.gpu.enabled }}
93+
default_gpu.rego: |
94+
package policy
95+
96+
import rego.v1
97+
98+
default hardware := 97
99+
default executables := 33
100+
default configuration := 36
101+
102+
trust_claims := {
103+
"executables": executables,
104+
"hardware": hardware,
105+
"configuration": configuration,
106+
}
107+
108+
hardware := 2 if {
109+
input.nvidia
110+
input.nvidia["x-nvidia-gpu-attestation-report-cert-chain"]["x-nvidia-cert-status"] == "valid"
111+
input.nvidia["x-nvidia-gpu-attestation-report-parsed"]
112+
input.nvidia["x-nvidia-gpu-attestation-report-signature-verified"]
113+
input.nvidia["x-nvidia-gpu-arch-check"]
114+
}
115+
116+
configuration := 2 if {
117+
input.nvidia.secboot
118+
input.nvidia.dbgstat == "disabled"
119+
}
120+
121+
executables := 3 if {
122+
input.nvidia["x-nvidia-gpu-driver-rim-fetched"]
123+
input.nvidia["x-nvidia-gpu-driver-rim-schema-validated"]
124+
input.nvidia["x-nvidia-gpu-driver-rim-signature-verified"]
125+
input.nvidia["x-nvidia-gpu-vbios-rim-fetched"]
126+
input.nvidia["x-nvidia-gpu-vbios-rim-schema-validated"]
127+
input.nvidia["x-nvidia-gpu-vbios-rim-signature-verified"]
128+
input.nvidia.measres == "success"
129+
}
130+
{{- end }}

templates/kbs-config-map.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,11 @@ data:
5252
[attestation_service.rvps_config.storage]
5353
type = "LocalJson"
5454
file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
55+
{{- if .Values.kbs.gpu.enabled }}
56+
57+
[attestation_service.verifier_config.nvidia_verifier]
58+
type = "Remote"
59+
{{- end }}
5560
5661
[[plugins]]
5762
name = "resource"

templates/resource-policy.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,4 +15,11 @@ data:
1515
1616
allow if {
1717
input["submods"]["cpu0"]["ear.status"] == "affirming"
18-
}
18+
}
19+
{{- if .Values.kbs.gpu.enabled }}
20+
21+
allow if {
22+
input["submods"]["cpu0"]["ear.status"] == "affirming"
23+
input["submods"]["gpu0"]["ear.status"] == "affirming"
24+
}
25+
{{- end }}

values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,10 @@ kbs:
4848
# exist in the trustee-operator-system namespace.
4949
extraSecrets: []
5050

51+
# NVIDIA GPU confidential computing configuration
52+
gpu:
53+
enabled: false
54+
5155
# Intel TDX (Trust Domain Extensions) configuration
5256
tdx:
5357
# Enable TDX attestation support

0 commit comments

Comments
 (0)