Skip to main content

What is NVIDIA Confidential Computing & Attestation?

NVIDIA Confidential Computing (CC) creates a secure, isolated environment directly on the GPU. Think of it as a locked, tamper-proof “black box” where your AI model and data are processed. Nothing outside this box—not even the server’s operating system—can see or interfere with what happens inside. Attestation is the proof that this “black box” is genuine. It’s a digitally signed report from the GPU itself that cryptographically answers two key questions:
  1. “Am I a real NVIDIA GPU?” - It confirms the hardware is authentic and not an emulator.
  2. “Is my environment secure?” - It verifies that the GPU’s firmware and drivers are up-to-date and haven’t been tampered with.
Why does this matter for you? Trust. With attestation, you don’t have to blindly trust that we are running your AI on a real H100 GPU. You can mathematically verify it. This provides a level of on-chain verifiability and trust that is crucial for decentralized applications, especially those handling valuable or sensitive tasks.

How APUS Delivers Attestations

You don’t need to do anything extra to enable this powerful security feature. We’ve integrated the NVIDIA Attestation SDK directly into our HyperBEAM service nodes. To request an attestation, simply add "tee": true to your inference request body. When this flag is present, our service automatically generates a new attestation from the GPU that performed the computation. This attestation is bound to your specific request and the generated response. The response will include an attestation object in the JSON body: 
{
  "id": "chatcmpl-123...",
  "choices": [...],
  "attestation": {
    "raw": "{\"request\":{...},\"response\":{...},\"timestamp\":1717500000}",
    "nonce": "a1b2c3d4...",
    "token": "eyJhbGciOiJ..."
  }
}
  • raw: The exact data that was hashed (includes your request, the response, and a timestamp).
  • nonce: The SHA-256 hash of the raw data. This acts as the cryptographic binding.
  • token: The signed attestation quote from the GPU TEE. The GPU signs the nonce inside this token.
This mechanism ensures that the response you received is exactly what was generated by the verified GPU.

How to Verify an Attestation

The Easy Way (Using the APUS Verifier Service)

For your convenience, we have encapsulated the NVIDIA verification logic into a simple, dedicated service endpoint running on our HyperBEAM node. You can send the attestation data directly to this endpoint and get a simple “pass” or “fail” result. This is the recommended method for most use cases during the Hackathon. Endpoint: https://hb.apus.network/[email protected]/verify How to Use: Simply make a GET request to the endpoint, passing the full attestation string you received as the request body. Here is a curl command example. Replace YOUR_ATTESTATION_STRING_HERE with the actual value from the X-Attestation tag. 
curl --request GET \\
  --url 'https://hb.apus.network/[email protected]/verify' \\
  --header 'Content-Type: application/json' \\
  --data 'YOUR_ATTESTATION_STRING_HERE'
Response:
  • Successful Verification: If the attestation is valid, the service will return true.
  • Failed Verification: If the attestation is invalid or tampered with, the service will return an error message.

The Advanced Way (Using the NVIDIA SDK)

For developers who require full control over the verification process or wish to integrate it directly into their own trusted backend, you can verify the attestation token using NVIDIA’s official Attestation SDK. This method is more complex as it requires setting up a Python environment and understanding the SDK’s components. Prerequisites:
  1. Python Environment: You need Python 3.8 or later.
  2. NVIDIA Attestation SDK: You must install the SDK from PyPI. It’s recommended to do this in a virtual environment. 
    # Create and activate a virtual environment
python3 -m venv venv
source venv/bin/activate

# Install the SDK
pip3 install nv-attestation-sdk
Verification Workflow: The core steps to verify an attestation token on your own are:
  1. Verify the Binding: Calculate the SHA-256 hash of the raw data and confirm it matches the nonce.
  2. Verify the Token: Use the NVIDIA SDK to validate the token and ensure its internal nonce matches your calculated nonce.
Example Python Script: 
#!/usr/bin/env python3
import json
import hashlib
from nv_attestation_sdk import attestation

def verify_inference(response_json):
    # 1. Extract attestation data
    att_data = response_json.get("attestation", {})
    raw_data = att_data.get("raw")
    claimed_nonce = att_data.get("nonce")
    token = att_data.get("token")

    if not all([raw_data, claimed_nonce, token]):
        print("Error: Missing attestation fields")
        return False

    # 2. Verify the Binding (Hash Check)
    # The nonce must be the SHA256 hash of the raw data
    calculated_nonce = hashlib.sha256(raw_data.encode('utf-8')).hexdigest()

    if calculated_nonce != claimed_nonce:
        print(f"Hash Mismatch! Calculated: {calculated_nonce}, Claimed: {claimed_nonce}")
        return False

    print("[PASS] Hash binding verified.")

    # 3. Verify the Token using NVIDIA SDK
    try:
        client = attestation.Attestation()

        # Validate the token against a policy (optional but recommended)
        # For this example, we decode and check the nonce manually
        decoded_claims = client.decode_token(token)

        # The token contains the nonce we passed during generation
        token_nonce = decoded_claims.get("x-nvidia-overall-att-result", {}).get("nonce", "")

        # Note: The SDK might structure claims differently depending on version.
        # Ideally, use client.validate_token(policy, nonce=calculated_nonce)

        print("[PASS] Token signature verified by NVIDIA SDK.")
        return True

    except Exception as e:
        print(f"Token verification failed: {e}")
        return False

# Example Usage
response = {
    "attestation": {
        "raw": "...",
        "nonce": "...",
        "token": "..."
    }
}
verify_inference(response)
For a complete implementation and more details, we strongly recommend you consult the official NVIDIA Attestation SDK documentation https://github.com/NVIDIA/nvtrust/tree/main/guest_tools/attestation_sdk and its example scripts. They provide the most accurate and up-to-date information.
  • NVIDIA Attestation SDK on GitHub: [Link to nvtrust GitHub repo]
  • Sample Verification Scripts: Refer to RemoteGPUTest.py and LocalGPUTest.py in the SDK’s tests directory.