1. NVIDIA Confidential Computing Roadmap (Hardware)
Over the past four generations, NVIDIA has continued to improve security and device integrity. One of the first documented efforts was in the NVIDIA V100 GPU to provide AES authentication for firmware running on the device. Authentication ensures that users can trust that the boot firmware has not been compromised or tampered with. Over time, NVIDIA has introduced things such as encrypting the firmware in the T4 so that malicious attackers cannot easily view potential security holes, adding External Microcontroller Review Firmware (ERoT) to the Ampere node to ensure the validity of the firmware, to Later Hopper: a completely confidential GPU with computing power.
In the chain of trust, the credibility of each layer of software that makes up the chain of trust is guaranteed by the previous layer until it reaches the root of the chain, the root of trust (RoT). Immutability and formal verification lay the foundation for the root of trust. In confidential computing, NVIDIA uses the on-chip RoT to verify the keys programmed into the GPU to verify the identity of the GPU and the authenticity of the firmware.
Combined with RoT, Secure Boot verifies that GPU firmware has been signed by NVIDIA and allows only signed and verified firmware to execute during GPU boot. It is a mechanism for authenticating and loading GPU firmware modules. Hardware mechanisms ensure that the firmware cannot be modified after the loading process until the system is rebooted. The combination of these two mechanisms ensures that the GPU always runs only verified and uncorrupted firmware.
Confidential computing is a feature of secure hardware, and before confidentiality can be expected to occur, one must rely on authenticated hardware. Hardware suppliers provide corresponding methods to ensure that the hardware received by the data center has not been modified or the modification can be identified during the entire transportation process.