Exciting news coming out of the inaugural Confidential Computing Summit where Nvidia stated that it will collaborate with Intel to offer comprehensive attestation services for Nvidia H100 GPUs via Intel® Trust Domain Extensions and Intel’s upcoming trust service code-named “Project Amber.” This is a significant development for customers who want to deploy confidentiality-preserving artificial intelligence (AI) solutions that meet elevated security and compliance needs.
AI is the defining workload of our time, with many of the most demanding workloads requiring hardware acceleration with a GPU. AI workloads often handle data that demands a high level of protection, either due to elevated security concerns or privacy regulations. Confidential Computing is an industry movement to protect sensitive data and code while it is in use by executing inside a hardware-hardened Trusted Execution Environment (TEE) where it can be accessed only by authorized users and software.
Attestation, Trust, and the Challenge of Accelerated Confidential AI
Attestation is an essential process in Confidential Computing where a stakeholder is provided cryptographically-verified proof that the TEE they plan to use is genuine, conforms to their security policies, and configured exactly as expected. Attestation is critical to establish trust in the computing platform you’re about to use with your highly sensitive data.
Intel and Nvidia deliver Confidential Computing technologies that establish independent TEE’s on the CPU and GPU, respectively. For a customer, this presents an attestation challenge, arguably requiring attestation from two different services to gather the evidence needed to verify the trustworthiness of the CPU and GPU TEE’s.
Through this collaboration, Intel and Nvidia will enable a more unified, easy-to-deploy attestation solution for “Confidential AI” based on Intel® Xeon® Scalable CPUs with Intel Trust Domain Extensions (Intel® TDX) and Nvidia H100 GPUs. The solution will use Intel’s cloud-based trust service, Project Amber. Users will have the option of making separate attestation calls to the Nvidia Remote Attestation Service (NRAS) for GPU attestation and Intel’s Project Amber for the CPU attestation, or they can make a single request to Project Amber and collect all the required evidence for CPU and GPU from a single service. Project Amber will transparently integrate with NRAS for a seamless user experience. Customers can also use the Project Amber Policy definition and appraisal capabilities for both CPU and GPU TEEs.
Looking Ahead - A Unified Trust Environment for Accelerated Confidential AI
The architecture behind this collaboration relies on separate CPU and GPU-based TEE’s communicating via an Nvidia driver that encrypts data across a PCI Express connection. At the Open Confidential Computing Conference earlier this year, we announced Intel® TDX Connect, a more robust, performance-oriented solution for confidential communications and memory sharing between TEE’s on the CPU and PCI Express-attached devices. At the conference, Nvidia offered their support for Intel TDX Connect and we look forward to continued collaboration that delivers accelerated Confidential AI solutions for our mutual customers.
Anil Rao is vice president in the Intel Office of the CTO and responsible for Security and Systems Architecture for Intel Corporation. Rao leads technical vision, strategy, and architecture for next-generation cloud to edge to client security, heterogeneous systems architecture including disaggregated and container computing, and Graph and Sparse AI.
Rao joined Intel in 2016 with two decades of engineering, product and strategy expertise in cloud and data center technologies. He was a co-founder of SeaMicro Inc. in 2007 developing energy-efficient converged solutions for cloud and data centers. After SeaMicro was acquired by Advanced Micro Devices (AMD) in 2012, Rao spent three years as corporate vice president of products in AMD’s Data Center Solutions Business Group. He served as technical adviser and strategy consultant to the office of the chief technology officer at Qualcomm until joining Intel.
Rao earned a bachelor’s degree in electrical and communications engineering from Bangalore University in India, a master’s degree in computer science from Arizona State University, and an MBA degree from the University of California, Berkeley. He is a co-author of the Optical Internetworking Forum’s OIF specifications and holds several patents in networking and data center technologies.