6.2.1 Use of Hardware Mechanisms for AI Security
Original Problem in the Paper
Motivation: integrating TEEs into AI compute clusters could ensure workload confidentiality/integrity and support security, attestation, verification, and access governance. Open problems: make TEEs useful for hardware-enabled governance at cluster/datacenter scale; attest chip identity and processed data; support multi-accelerator confidential computing; independently test GPU/AI-accelerator TEEs and security processors.
July 2026 Update & Trajectory
Single-node/single-tenant confidential GPU computing is real: NVIDIA H100 supports CC mode, secure/measured boot, SPDM, attestation reports, device identity certificates, NRAS, and CPU TEE integration. However, the paper’s governance-grade requirements—robust cluster-wide/multi-GPU attestation, proof of data/workload identity, firmware update governance, and independent GPU-TEE security assurance—remain only partly documented; no verified 2026 public source shows full datacenter-scale governance TEEs.
Deployed / Operationalized
- NVIDIA H100 confidential computing for protected GPU workloads in CVMs/containers with attestation and encrypted CPU-GPU transfer paths.
- Cloud/hardware roots of trust and measured boot stacks (Caliptra/OpenTitan-style) for device identity, measured boot, and attestation in datacenter-class SoCs.
- AI labs can incorporate confidential computing to protect model weights during use, as recommended by RAND.
New Tractable Vectors
- End-to-end attestation chains tying model weights, code, firmware, driver, GPU identity, and tenant policy into auditable evidence.
- Cluster-level confidential inference/training over multiple accelerators, with performance-aware secure interconnects.
- Governance policies enforced via signed workloads and attested deployment environments.
Key Open Questions
- Independent public red-team evidence for GPU TEEs comparable to CPU TEE vulnerability research.
- Attesting what data a GPU processed without leaking data or creating prohibitive logging burdens.
- Secure live update/rollback prevention for on-chip governance firmware under adversarial operators.
Evidence & Primary Sources
- NVIDIA states H100 is the first GPU with confidential computing: hardware TEE anchored in on-die root of trust, secure/measured boot, SPDM session, signed attestation report, NRAS validation. (2023-08-03): https://developer.nvidia.com/blog/confidential-computing-on-h100-gpus-for-secure-and-trustworthy-ai/
- RAND recommends confidential computing to secure model weights during use and reduce attack surface. (2024-05-30): https://www.rand.org/pubs/research_reports/RRA2849-1.html
- Caliptra targets CPUs, GPUs, DPUs, TPUs with identity, measured boot, and attestation capabilities for datacenter-class SoCs. (2026): https://github.com/chipsalliance/Caliptra
- OpenTitan is a production-deployed open silicon root of trust designed for standards compliance, including FIPS/Common Criteria goals. (2026): https://opentitan.org/