Blueprint, Bootstrap, and Bridge: A Security Look at NVIDIA GPU Confidential Computing
For researchers and users of GPU-CC, this work provides the first independent security analysis of a proprietary system, revealing potential vulnerabilities in data protection.
This paper reconstructs the architecture of NVIDIA GPU Confidential Computing (GPU-CC) and experimentally evaluates data transfer protection across the CPU-GPU bridge, identifying security gaps under the GPU-CC threat model.
NVIDIA GPU Confidential Computing (GPU-CC) aims to provide secure execution for AI workloads. For end users, enabling GPU-CC is seamless and requires no modifications to existing applications. However, this ease of adoption relies on a proprietary and highly complex system that is difficult to inspect, creating challenges for researchers seeking to understand its architecture and security landscape. In this work, we provide a security look at GPU-CC by reconstructing a coherent view of the system. We first examine the system's blueprint, focusing on the specialized architectural engines that support its security mechanisms. We then analyze the bootstrap process, which coordinates hardware and software components to establish these protections. Finally, we conduct targeted experiments to assess whether, under the GPU-CC threat model, data transfers along different paths remain protected across the bridge between trusted CPU and GPU domains. We responsibly disclosed all security findings presented in this paper to the NVIDIA Product Security Incident Response Team (PSIRT).