Blueprint, Bootstrap, and Bridge: A Security Look at NVIDIA GPU Confidential Computing

TL;DR

This paper provides a security analysis of NVIDIA GPU Confidential Computing, reconstructing its architecture, bootstrap process, and evaluating data protection across CPU-GPU boundaries.

Contribution

It offers a detailed reconstruction of GPU-CC's architecture and security mechanisms, along with experimental insights into data protection during transfers.

Findings

Identified architectural components supporting security in GPU-CC

Analyzed the bootstrap process for establishing protections

Assessed data transfer protections across CPU-GPU bridge

Abstract

NVIDIA GPU Confidential Computing (GPU-CC) aims to provide secure execution for AI workloads. For end users, enabling GPU-CC is seamless and requires no modifications to existing applications. However, this ease of adoption relies on a proprietary and highly complex system that is difficult to inspect, creating challenges for researchers seeking to understand its architecture and security landscape. In this work, we provide a security look at GPU-CC by reconstructing a coherent view of the system. We first examine the system's blueprint, focusing on the specialized architectural engines that support its security mechanisms. We then analyze the bootstrap process, which coordinates hardware and software components to establish these protections. Finally, we conduct targeted experiments to assess whether, under the GPU-CC threat model, data transfers along different paths remain protected across the bridge between trusted CPU and GPU domains. We responsibly disclosed all security findings presented in this paper to the NVIDIA Product Security Incident Response Team (PSIRT).