Can we perform the GPU attestation in AWS P5 instance?

[smilenow]

Hi, is someone available to perform the GPU attestation in AWS P5 instance? Although it uses 3rd generation AMD EPYC processors, however, AWS doesn't enable the AMD SEV-SNP feature for it, which means, P5 instance is not a CVM. The instance types in AWS that support AMD SEV-SNP can be found here.

You can find the P5 instance spec at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/p5-instances-started.html

Given this non-CVM AWS P5 instance, the cc_mode is disabled by default. After reading Confidential Computing on NVIDIA H100 GPUs for Secure and Trustworthy AI, I have several questions:

1. Is it possible to perform the GPU attestation in AWS P5 instance?
   1. Is cc_mode MUST be enabled before performing the GPU attestation? I think the answer is yes, right?
   2. Can we perform the GPU attestation in a non-CVM environment? I also tried the gpu-admin-tools to turn on cc_mode but it doesn't work.
   3. Based on previous question, if we convince our execution environment is trusted, even if it's not a CVM(Intel TDX or AMD SEV-SNP), is it possible to perform the GPU attestation?

[Tan-YiFan]

gpu-admin-tools should be executed in host. Executing in VM would not help. The attestation could be done in non-CVM but must in cc-enabled H100.

[smilenow]

Got it, if gpu-admin-tools is designed to be executed in host, then I think AWS P5 instance type doesn't fit this requirement because it's the virtual server in AWS. I will try to contact with AWS to see whether they can turn on the cc_mode in the corresponding host of the P5 instance.

A further question is, if we turn on the cc_mode in a non-CVM, how can we perform the attestation? Is it same with the process in CVM mentioned in the https://github.com/NVIDIA/nvtrust/tree/main/guest_tools/gpu_verifiers/local_gpu_verifier ?

[Tan-YiFan]

Yes, the procedure is the same. Since the code is open-sourced, you can find whether Nvidia checks whether the VM is a CVM and hack it.   Azure has launched the preview of CVM+H100 cloud: https://aka.ms/cvm-h100-preview. Furthermore, Nvidia produces free hands-on labs for H100 CC at https://www.nvidia.com/en-us/launchpad/ai/develop-confidential-vm-applications/. Maybe helpful for your case.

[smilenow]

Thanks, just want to clarify, do you mean the only thing to hack the checks is to change the return value of the is_cc_enabled() function to always true, and perform the attest in the guest tools? Do we need to hack any other places in the guest tools or the drivers?

[Tan-YiFan]

The driver would check whether the VM is a CVM (you can check other issues in this repo). The attestation tool would not require modification.

[smilenow]

Do you mean #61 (comment) ? Is it the only change we need to make?

[Tan-YiFan]

I did not find other places where Nvidia checks TDX/SEV

[ruisizhang123]

Thanks, just want to clarify, do you mean the only thing to hack the checks is to change the return value of the is_cc_enabled() function to always true, and perform the attest in the guest tools? Do we need to hack any other places in the guest tools or the drivers?

Thank you for the insightful discussions. Wonder if you have successfully ran TDX in AWS's H100 instances?