Offline Licensing is a mechanism for compute governance that could be used to prevent unregulated training of potentially dangerous frontier AI models. The mechanism works by disabling AI chips unless they have an unused license from a regulator. In this report, we present a design for a minimal version of Offline Licensing that could be delivered via a firmware update. Existing AI chips could potentially support Offline Licensing within a year if they have the following (relatively common) hardware security features: firmware verification, firmware rollback protection, and secure non-volatile memory. Public documentation suggests that NVIDIA's H100 AI chip already has these security features. Without additional hardware modifications, the system is susceptible to physical hardware attacks. However, these attacks might require expensive equipment and could be difficult to reliably apply to thousands of AI chips. A firmware-based Offline Licensing design shares the same legal requirements and license approval mechanism as a hardware-based solution. Implementing a firmware-based solution now could accelerate the eventual deployment of a more secure hardware-based solution in the future. For AI chip manufacturers, implementing this security mechanism might allow chips to be sold to customers that would otherwise be prohibited by export restrictions. For governments, it may be important to be able to prevent unsafe or malicious actors from training frontier AI models in the next few years. Based on this initial analysis, firmware-based Offline Licensing could partially solve urgent security and trade problems and is technically feasible for AI chips that have common hardware security features.

翻译：离线许可是计算治理的一种机制，可用于防止潜在危险的前沿AI模型在无监管状态下进行训练。该机制的工作原理是：除非AI芯片拥有监管机构颁发的未使用许可证，否则将禁用芯片功能。本报告提出一种可通过固件更新实现的最小化离线许可设计方案。若现有AI芯片具备以下（相对常见的）硬件安全特性：固件验证、固件回滚保护和安全非易失性存储器，则有望在一年内支持离线许可机制。公开文档表明，英伟达的H100 AI芯片已具备这些安全特性。在无需额外硬件修改的情况下，该系统可能受到物理硬件攻击。然而，此类攻击可能需要昂贵设备，且难以可靠地应用于数千个AI芯片。基于固件的离线许可方案与硬件方案具有相同的法律要求和许可证审批机制。当前实施固件方案可加速未来部署更安全的硬件解决方案。对AI芯片制造商而言，实施该安全机制或可使芯片销售给原本受出口限制禁止的客户。对政府而言，在未来几年内防止不安全或恶意行为者训练前沿AI模型可能至关重要。基于初步分析，基于固件的离线许可方案可部分解决紧迫的安全与贸易问题，且对于具备常见硬件安全特性的AI芯片具有技术可行性。