go-nvtrust: NVIDIA GPU Confidential Computing Attestation in Go
At Confident Security, we’re a Go shop. We like Go because Go code is scrutable – what you see is mostly what you get. Go’s error handling is explicit, albeit a bit verbose; it builds fast; it’s strongly typed; it runs pretty fast without much work; and, generally, the builds are reproducible and cross-platform. It doesn’t hurt that Go’s dev toolchain is great too. We like Go so much that we avoid shell scripting and instead write Go utils to call the functions that underlie any command-line tool. For instance, we don’t use the git-cli in a shell script, we just use go-git. We even try to avoid make and use mage instead. No language is perfect, but Go strikes the right balance for our product. But I digress…
One of the guarantees our Private AI product offers is that hardware is untampered and data is processed inside a trusted execution environment (TEE). Think of a TEE as a confidential area where nobody can see what’s going on inside of it, like a black box. Users can cryptographically verify the security of that black box for themselves by using a process called remote attestation. And, of course, there are software libraries that facilitate the remote attestation process, including for GPUs.
And AI needs GPUs. The only GPUs out there that support working with CPU-based TEEs are Nvidia’s H100, H200, and B200 models. These GPUs have their own “confidential mode” and can remotely attest to their configuration. The only official high-level software library out there for remote attestation with GPUs is NVIDIA’s nvtrust [1].
Nvtrust isn’t written in Go, so, naturally, when it came time to support remote attestation in CONFSEC, our Private AI product, we made a version in our favorite language! We call this library go-nvtrust. We’re happy to maintain it, but we’d also love NVIDIA’s help. So, that’s the announcement.
For those of you looking for a Go-based Nvidia remote attestation software library, this is it. It does what it says on the tin, and it’s battle-tested. I’d choose it over the Python version any day. Check out the README for a simple how-to.
For those who are interested in learning more about TEEs, confidential computing, and remote attestation, check out NVIDIA’s intro. And keep an eye on our blog, there’s more to come soon.
[1] There is a recently published attestation-SDK that is “alpha” and in “early access.” We’d be open to swapping our Go bindings over to it when the time is right. Comparing our project with the attestation-SDK may also help reveal the best API.
