NVIDIA GPU Confidential Computing (GPU-CC) aims to provide secure execution for AI workloads. For end users, enabling GPU-CC is seamless and requires no modifications to existing applications. However, this ease of adoption relies on a proprietary and highly complex system that is difficult to inspect, creating challenges for researchers seeking to understand its architecture and security landscape. In this work, we provide a security look at GPU-CC by reconstructing a coherent view of the system. We first examine the system's blueprint, focusing on the specialized architectural engines that support its security mechanisms. We then analyze the bootstrap process, which coordinates hardware and software components to establish these protections. Finally, we conduct targeted experiments to assess whether, under the GPU-CC threat model, data transfers along different paths remain protected across the bridge between trusted CPU and GPU domains. We responsibly disclosed all security findings presented in this paper to the NVIDIA Product Security Incident Response Team (PSIRT).

翻译：NVIDIA GPU机密计算（GPU-CC）旨在为AI工作负载提供安全执行环境。对终端用户而言，启用GPU-CC无需修改现有应用程序即可无缝实现。然而，这种易用性依赖于专有且高度复杂的系统，难以进行审查，为研究者理解其架构和安全格局带来挑战。本文通过重构系统的一致性视图，对GPU-CC进行了安全审视。我们首先考察了系统蓝图，重点关注支撑其安全机制的专业架构引擎。随后分析了引导过程，该过程协调硬件与软件组件以建立这些保护机制。最后，我们开展定向实验，评估在GPU-CC威胁模型下，可信CPU域与GPU域之间不同路径的数据传输是否能在桥梁上保持保护。我们已经将本文中所有安全发现负责任地披露给了NVIDIA产品安全事件响应团队（PSIRT）。