@super-protocol/addons-tee 2.0.0 → 2.0.1

package/dist/nvidia-native-module/nvidia-attestation.js

@@ -0,0 +1,374 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NvidiaAttestationService = exports.ParseGpuClaim = exports.NvidiaAttestationErrorWithLogs = exports.NvidiaAttestationError = exports.NvidiaDeviceType = exports.NVIDIA_DEBUG_STATE_POLICY_RELATIVE_PATH = exports.NVIDIA_DETAILED_POLICY_RELATIVE_PATH = exports.DEFAULT_NRAS_URL = exports.MIN_NONCE_LENGTH = void 0;
+const NATIVE_MODULE_PATH = "../../bindings/nvidia-native/build/Release/nvidia_native.node";
+let _nativeModule;
+function getNativeModule() {
+    if (!_nativeModule) {
+        _nativeModule = require(NATIVE_MODULE_PATH);
+    }
+    return _nativeModule;
+}
+const promises_1 = require("fs/promises");
+const path = __importStar(require("path"));
+const typebox_1 = require("@sinclair/typebox");
+const value_1 = require("@sinclair/typebox/value");
+// ============================================================================
+// CONSTANTS
+// ============================================================================
+exports.MIN_NONCE_LENGTH = 32;
+exports.DEFAULT_NRAS_URL = "https://nras.attestation.nvidia.com";
+exports.NVIDIA_DETAILED_POLICY_RELATIVE_PATH = "nvidia-detailed-policy.rego";
+exports.NVIDIA_DEBUG_STATE_POLICY_RELATIVE_PATH = "nvidia-debug-state-policy.rego";
+var NvidiaDeviceType;
+(function (NvidiaDeviceType) {
+    NvidiaDeviceType[NvidiaDeviceType["GPU"] = 0] = "GPU";
+    NvidiaDeviceType[NvidiaDeviceType["NVSWITCH"] = 1] = "NVSWITCH";
+})(NvidiaDeviceType || (exports.NvidiaDeviceType = NvidiaDeviceType = {}));
+// ============================================================================
+// TYPES
+// ============================================================================
+const NvidiaAttestationResultSchema = typebox_1.Type.Object({
+    success: typebox_1.Type.Boolean(),
+    jwt: typebox_1.Type.String(),
+    claims: typebox_1.Type.String(),
+    logs: typebox_1.Type.String(),
+});
+const NvidiaDeviceTopologySchema = typebox_1.Type.Object({
+    gpuCount: typebox_1.Type.Integer({ minimum: 0 }),
+    nvswitchCount: typebox_1.Type.Integer({ minimum: 0 }),
+    logs: typebox_1.Type.String(),
+});
+const NvidiaJwtVerificationResultSchema = typebox_1.Type.Object({
+    result: typebox_1.Type.Boolean(),
+    claims: typebox_1.Type.String(),
+    msg: typebox_1.Type.String(),
+    logs: typebox_1.Type.String(),
+});
+const NvidiaPolicyEvaluationResultSchema = typebox_1.Type.Object({
+    result: typebox_1.Type.Boolean(),
+    msg: typebox_1.Type.String(),
+    details: typebox_1.Type.Array(typebox_1.Type.String()),
+    logs: typebox_1.Type.String(),
+});
+const NvidiaJwtPayloadSchema = typebox_1.Type.Object({
+    hwmodel: typebox_1.Type.String(),
+    "x-nvidia-gpu-driver-version": typebox_1.Type.String(),
+    "x-nvidia-gpu-vbios-version": typebox_1.Type.String(),
+    dbgstat: typebox_1.Type.String(),
+}, { additionalProperties: true });
+const NvtrustGPUInfoSchema = typebox_1.Type.Object({
+    model: typebox_1.Type.String(),
+    driverVersion: typebox_1.Type.String(),
+    vbios: typebox_1.Type.String(),
+    dbgStat: typebox_1.Type.Boolean(),
+});
+// ============================================================================
+// ERRORS
+// ============================================================================
+class NvidiaAttestationError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = NvidiaAttestationError.name;
+    }
+}
+exports.NvidiaAttestationError = NvidiaAttestationError;
+class NvidiaAttestationErrorWithLogs extends NvidiaAttestationError {
+    constructor(message, logs) {
+        super(message);
+        this.logs = logs;
+        this.name = NvidiaAttestationErrorWithLogs.name;
+    }
+}
+exports.NvidiaAttestationErrorWithLogs = NvidiaAttestationErrorWithLogs;
+// ============================================================================
+// NATIVE CLASS INTERFACE
+// ============================================================================
+function extractNativeLogs(error) {
+    if (error instanceof Error && "logs" in error && typeof error.logs === "string") {
+        return error.logs;
+    }
+    return undefined;
+}
+// ============================================================================
+// SERVICE
+// ============================================================================
+/**
+ * Parses a raw claims JSON string (array of JWT payloads) into typed GPU info objects.
+ *
+ * @param claims - JSON string containing an array of NVIDIA JWT payload objects.
+ * @returns Array of parsed and validated GPU info objects.
+ * @throws NvidiaAttestationError when the input is not valid JSON, not an array,
+ *         or any element fails schema validation.
+ */
+function ParseGpuClaim(claims) {
+    let parsed;
+    try {
+        parsed = JSON.parse(claims);
+    }
+    catch {
+        throw new NvidiaAttestationError("Failed to parse GPU claims: invalid JSON");
+    }
+    if (!Array.isArray(parsed)) {
+        throw new NvidiaAttestationError("Failed to parse GPU claims: expected a JSON array");
+    }
+    return parsed.map((item, index) => {
+        if (!value_1.Value.Check(NvidiaJwtPayloadSchema, item)) {
+            throw new NvidiaAttestationError(`Failed to parse GPU claims: element at index ${index} does not match expected schema`);
+        }
+        const payload = item;
+        return {
+            model: payload.hwmodel,
+            driverVersion: payload["x-nvidia-gpu-driver-version"],
+            vbios: payload["x-nvidia-gpu-vbios-version"],
+            dbgStat: payload.dbgstat !== "disabled",
+        };
+    });
+}
+exports.ParseGpuClaim = ParseGpuClaim;
+class NvidiaAttestationService {
+    getNvidiaDetailedPolicyPath() {
+        return path.join(__dirname, exports.NVIDIA_DETAILED_POLICY_RELATIVE_PATH);
+    }
+    getNvidiaDebugStatePolicyPath() {
+        return path.join(__dirname, exports.NVIDIA_DEBUG_STATE_POLICY_RELATIVE_PATH);
+    }
+    /**
+     * Loads bundled detailed NVIDIA Rego policy from package files.
+     *
+     * The policy content is cached after first successful read.
+     *
+     * @returns Rego policy text.
+     */
+    async getNvidiaDetailedPolicy() {
+        return this.loadCachedPolicy(this.getNvidiaDetailedPolicyPath());
+    }
+    /**
+     * Loads bundled debug-state NVIDIA Rego policy from package files.
+     *
+     * Checks device type, secure boot and debug status.
+     * The policy content is cached after first successful read.
+     *
+     * @returns Rego policy text.
+     */
+    async getNvidiaDebugStatePolicy() {
+        return this.loadCachedPolicy(this.getNvidiaDebugStatePolicyPath());
+    }
+    /**
+     * Loads a policy file using single-flight caching keyed by absolute path.
+     *
+     * Concurrent callers for the same path share one in-flight read.
+     * On failure the cache entry is removed so the next call retries.
+     */
+    loadCachedPolicy(policyPath) {
+        const cached = NvidiaAttestationService.policyCache.get(policyPath);
+        if (cached !== undefined) {
+            return cached;
+        }
+        const promise = (0, promises_1.readFile)(policyPath, "utf8").catch(() => {
+            NvidiaAttestationService.policyCache.delete(policyPath);
+            throw new NvidiaAttestationError(`Unable to load bundled NVIDIA policy from ${policyPath}`);
+        });
+        NvidiaAttestationService.policyCache.set(policyPath, promise);
+        return promise;
+    }
+    /**
+     * Creates NVIDIA attestation service instance and initializes native SDK bindings.
+     *
+     * @throws NvidiaAttestationError when native NVIDIA attestation layer cannot be initialized.
+     */
+    constructor() {
+        try {
+            const { TNvidiaAttestation } = getNativeModule();
+            this.native = new TNvidiaAttestation();
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw new NvidiaAttestationError(`Failed to initialize NVIDIA attestation: ${error.message}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Generates cryptographically secure nonce via native NVIDIA SDK.
+     *
+     * @param length - Nonce size in bytes (default: 32).
+     * @returns Nonce bytes.
+     */
+    async generateNonce(length = exports.MIN_NONCE_LENGTH) {
+        if (!Number.isInteger(length)) {
+            throw new NvidiaAttestationError("Nonce length must be an integer");
+        }
+        if (length < exports.MIN_NONCE_LENGTH) {
+            throw new NvidiaAttestationError(`Nonce length must be at least ${exports.MIN_NONCE_LENGTH}`);
+        }
+        try {
+            const nonce = await this.native.generateNonce(length);
+            if (!Buffer.isBuffer(nonce) || nonce.length !== length) {
+                throw new NvidiaAttestationError("Invalid nonce returned from native SDK");
+            }
+            return nonce;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`Failed to generate nonce: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`Failed to generate nonce: ${String(error)}`);
+        }
+    }
+    /**
+     * Performs GPU attestation via NVIDIA Remote Attestation Service (NRAS).
+     *
+     * @param options - Attestation options.
+     * @returns Attestation result (`success`, `jwt`, `claims`).
+     */
+    async attestGpuWithNRAS(options = {}) {
+        try {
+            const nonce = options.nonce ?? (await this.generateNonce());
+            const result = await this.native.attestGpuWithNRAS(nonce, options.serviceKey, options.nrasUrl);
+            if (!value_1.Value.Check(NvidiaAttestationResultSchema, result)) {
+                throw new NvidiaAttestationError("Invalid attestation result returned from NRAS");
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`Attestation failed: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`Attestation failed: ${String(error)}`);
+        }
+    }
+    /**
+     * Performs NVSwitch attestation via NVIDIA Remote Attestation Service (NRAS).
+     *
+     * @param options - Attestation options.
+     * @returns Attestation result (`success`, `jwt`, `claims`).
+     */
+    async attestNvSwitchWithNRAS(options = {}) {
+        try {
+            const nonce = options.nonce ?? (await this.generateNonce());
+            const result = await this.native.attestNvSwitchWithNRAS(nonce, options.serviceKey, options.nrasUrl);
+            if (!value_1.Value.Check(NvidiaAttestationResultSchema, result)) {
+                throw new NvidiaAttestationError("Invalid NVSwitch attestation result returned from NRAS");
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`NVSwitch attestation failed: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`NVSwitch attestation failed: ${String(error)}`);
+        }
+    }
+    /**
+     * Retrieves NVIDIA device topology (GPU and NVSwitch counts) from native layer.
+     *
+     * @returns Device topology data.
+     */
+    async getDeviceTopology() {
+        try {
+            const topology = await this.native.getDeviceTopology();
+            if (!value_1.Value.Check(NvidiaDeviceTopologySchema, topology)) {
+                throw new NvidiaAttestationError("Invalid topology returned from native SDK");
+            }
+            return topology;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`Failed to get device topology: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`Failed to get device topology: ${String(error)}`);
+        }
+    }
+    /**
+     * Verifies detached EAT JWT cryptographically via NRAS and returns decoded claims.
+     */
+    async verifyJwt(params) {
+        try {
+            const { jwt, serviceKey, nrasUrl } = params;
+            if (!jwt.trim()) {
+                throw new NvidiaAttestationError("JWT must be a non-empty string");
+            }
+            const result = await this.native.verifyJwt(jwt, serviceKey, nrasUrl);
+            if (!value_1.Value.Check(NvidiaJwtVerificationResultSchema, result)) {
+                throw new NvidiaAttestationError("Invalid JWT verification result returned from native SDK");
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`JWT verification failed: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`JWT verification failed: ${String(error)}`);
+        }
+    }
+    /**
+     * Evaluates attestation claims against a Rego policy and returns policy diagnostics.
+     */
+    async evaluatePolicy(params) {
+        try {
+            const { claims, regoPolicy } = params;
+            if (!claims.trim()) {
+                throw new NvidiaAttestationError("Claims JSON must be a non-empty string");
+            }
+            if (!regoPolicy.trim()) {
+                throw new NvidiaAttestationError("Rego policy must be a non-empty string");
+            }
+            const result = await this.native.evaluatePolicy(claims, regoPolicy);
+            if (!value_1.Value.Check(NvidiaPolicyEvaluationResultSchema, result)) {
+                throw new NvidiaAttestationError("Invalid policy evaluation result returned from native SDK");
+            }
+            return result;
+        }
+        catch (error) {
+            if (error instanceof NvidiaAttestationError) {
+                throw error;
+            }
+            if (error instanceof Error) {
+                throw new NvidiaAttestationErrorWithLogs(`Policy evaluation failed: ${error.message}`, extractNativeLogs(error));
+            }
+            throw new NvidiaAttestationError(`Policy evaluation failed: ${String(error)}`);
+        }
+    }
+}
+exports.NvidiaAttestationService = NvidiaAttestationService;
+NvidiaAttestationService.policyCache = new Map();
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibnZpZGlhLWF0dGVzdGF0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL252aWRpYS1uYXRpdmUtbW9kdWxlL252aWRpYS1hdHRlc3RhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLE1BQU0sa0JBQWtCLEdBQUcsK0RBQStELENBQUM7QUFFM0YsSUFBSSxhQUFxRixDQUFDO0FBRTFGLFNBQVMsZUFBZTtJQUNwQixJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDakIsYUFBYSxHQUFHLE9BQU8sQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO0lBQ2hELENBQUM7SUFFRCxPQUFPLGFBQWMsQ0FBQztBQUMxQixDQUFDO0FBRUQsMENBQXVDO0FBQ3ZDLDJDQUE2QjtBQUM3QiwrQ0FBaUQ7QUFDakQsbURBQWdEO0FBRWhELCtFQUErRTtBQUMvRSxZQUFZO0FBQ1osK0VBQStFO0FBRWxFLFFBQUEsZ0JBQWdCLEdBQUcsRUFBRSxDQUFDO0FBQ3RCLFFBQUEsZ0JBQWdCLEdBQUcscUNBQXFDLENBQUM7QUFDekQsUUFBQSxvQ0FBb0MsR0FBRyw2QkFBNkIsQ0FBQztBQUNyRSxRQUFBLHVDQUF1QyxHQUFHLGdDQUFnQyxDQUFDO0FBRXhGLElBQVksZ0JBR1g7QUFIRCxXQUFZLGdCQUFnQjtJQUN4QixxREFBTyxDQUFBO0lBQ1AsK0RBQVksQ0FBQTtBQUNoQixDQUFDLEVBSFcsZ0JBQWdCLGdDQUFoQixnQkFBZ0IsUUFHM0I7QUFFRCwrRUFBK0U7QUFDL0UsUUFBUTtBQUNSLCtFQUErRTtBQUUvRSxNQUFNLDZCQUE2QixHQUFHLGNBQUksQ0FBQyxNQUFNLENBQUM7SUFDOUMsT0FBTyxFQUFFLGNBQUksQ0FBQyxPQUFPLEVBQUU7SUFDdkIsR0FBRyxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7SUFDbEIsTUFBTSxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7SUFDckIsSUFBSSxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7Q0FDdEIsQ0FBQyxDQUFDO0FBSUgsTUFBTSwwQkFBMEIsR0FBRyxjQUFJLENBQUMsTUFBTSxDQUFDO0lBQzNDLFFBQVEsRUFBRSxjQUFJLENBQUMsT0FBTyxDQUFDLEVBQUUsT0FBTyxFQUFFLENBQUMsRUFBRSxDQUFDO0lBQ3RDLGFBQWEsRUFBRSxjQUFJLENBQUMsT0FBTyxDQUFDLEVBQUUsT0FBTyxFQUFFLENBQUMsRUFBRSxDQUFDO0lBQzNDLElBQUksRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO0NBQ3RCLENBQUMsQ0FBQztBQXFCSCxNQUFNLGlDQUFpQyxHQUFHLGNBQUksQ0FBQyxNQUFNLENBQUM7SUFDbEQsTUFBTSxFQUFFLGNBQUksQ0FBQyxPQUFPLEVBQUU7SUFDdEIsTUFBTSxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7SUFDckIsR0FBRyxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7SUFDbEIsSUFBSSxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7Q0FDdEIsQ0FBQyxDQUFDO0FBSUgsTUFBTSxrQ0FBa0MsR0FBRyxjQUFJLENBQUMsTUFBTSxDQUFDO0lBQ25ELE1BQU0sRUFBRSxjQUFJLENBQUMsT0FBTyxFQUFFO0lBQ3RCLEdBQUcsRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO0lBQ2xCLE9BQU8sRUFBRSxjQUFJLENBQUMsS0FBSyxDQUFDLGNBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztJQUNsQyxJQUFJLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtDQUN0QixDQUFDLENBQUM7QUFJSCxNQUFNLHNCQUFzQixHQUFHLGNBQUksQ0FBQyxNQUFNLENBQ3RDO0lBQ0ksT0FBTyxFQUFFLGNBQUksQ0FBQyxNQUFNLEVBQUU7SUFDdEIsNkJBQTZCLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtJQUM1Qyw0QkFBNEIsRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO0lBQzNDLE9BQU8sRUFBRSxjQUFJLENBQUMsTUFBTSxFQUFFO0NBQ3pCLEVBQ0QsRUFBRSxvQkFBb0IsRUFBRSxJQUFJLEVBQUUsQ0FDakMsQ0FBQztBQUlGLE1BQU0sb0JBQW9CLEdBQUcsY0FBSSxDQUFDLE1BQU0sQ0FBQztJQUNyQyxLQUFLLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtJQUNwQixhQUFhLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtJQUM1QixLQUFLLEVBQUUsY0FBSSxDQUFDLE1BQU0sRUFBRTtJQUNwQixPQUFPLEVBQUUsY0FBSSxDQUFDLE9BQU8sRUFBRTtDQUMxQixDQUFDLENBQUM7QUFJSCwrRUFBK0U7QUFDL0UsU0FBUztBQUNULCtFQUErRTtBQUUvRSxNQUFhLHNCQUF1QixTQUFRLEtBQUs7SUFDN0MsWUFBWSxPQUFnQjtRQUN4QixLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDZixJQUFJLENBQUMsSUFBSSxHQUFHLHNCQUFzQixDQUFDLElBQUksQ0FBQztJQUM1QyxDQUFDO0NBQ0o7QUFMRCx3REFLQztBQUVELE1BQWEsOEJBQStCLFNBQVEsc0JBQXNCO0lBQ3RFLFlBQ0ksT0FBZSxFQUNDLElBQWE7UUFFN0IsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBRkMsU0FBSSxHQUFKLElBQUksQ0FBUztRQUc3QixJQUFJLENBQUMsSUFBSSxHQUFHLDhCQUE4QixDQUFDLElBQUksQ0FBQztJQUNwRCxDQUFDO0NBQ0o7QUFSRCx3RUFRQztBQUVELCtFQUErRTtBQUMvRSx5QkFBeUI7QUFDekIsK0VBQStFO0FBRS9FLFNBQVMsaUJBQWlCLENBQUMsS0FBYztJQUNyQyxJQUFJLEtBQUssWUFBWSxLQUFLLElBQUksTUFBTSxJQUFJLEtBQUssSUFBSSxPQUFRLEtBQWlDLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQzNHLE9BQVEsS0FBaUMsQ0FBQyxJQUFjLENBQUM7SUFDN0QsQ0FBQztJQUVELE9BQU8sU0FBUyxDQUFDO0FBQ3JCLENBQUM7QUFXRCwrRUFBK0U7QUFDL0UsVUFBVTtBQUNWLCtFQUErRTtBQUUvRTs7Ozs7OztHQU9HO0FBQ0gsU0FBZ0IsYUFBYSxDQUFDLE1BQWM7SUFDeEMsSUFBSSxNQUFlLENBQUM7SUFDcEIsSUFBSSxDQUFDO1FBQ0QsTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDaEMsQ0FBQztJQUFDLE1BQU0sQ0FBQztRQUNMLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQywwQ0FBMEMsQ0FBQyxDQUFDO0lBQ2pGLENBQUM7SUFFRCxJQUFJLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1FBQ3pCLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyxtREFBbUQsQ0FBQyxDQUFDO0lBQzFGLENBQUM7SUFFRCxPQUFPLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFhLEVBQUUsS0FBYSxFQUFFLEVBQUU7UUFDL0MsSUFBSSxDQUFDLGFBQUssQ0FBQyxLQUFLLENBQUMsc0JBQXNCLEVBQUUsSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUM3QyxNQUFNLElBQUksc0JBQXNCLENBQzVCLGdEQUFnRCxLQUFLLGlDQUFpQyxDQUN6RixDQUFDO1FBQ04sQ0FBQztRQUVELE1BQU0sT0FBTyxHQUFHLElBQXdCLENBQUM7UUFFekMsT0FBTztZQUNILEtBQUssRUFBRSxPQUFPLENBQUMsT0FBTztZQUN0QixhQUFhLEVBQUUsT0FBTyxDQUFDLDZCQUE2QixDQUFDO1lBQ3JELEtBQUssRUFBRSxPQUFPLENBQUMsNEJBQTRCLENBQUM7WUFDNUMsT0FBTyxFQUFFLE9BQU8sQ0FBQyxPQUFPLEtBQUssVUFBVTtTQUMxQyxDQUFDO0lBQ04sQ0FBQyxDQUFDLENBQUM7QUFDUCxDQUFDO0FBNUJELHNDQTRCQztBQUVELE1BQWEsd0JBQXdCO0lBS3pCLDJCQUEyQjtRQUMvQixPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLDRDQUFvQyxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUVPLDZCQUE2QjtRQUNqQyxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUyxFQUFFLCtDQUF1QyxDQUFDLENBQUM7SUFDekUsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILEtBQUssQ0FBQyx1QkFBdUI7UUFDekIsT0FBTyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLDJCQUEyQixFQUFFLENBQUMsQ0FBQztJQUNyRSxDQUFDO0lBRUQ7Ozs7Ozs7T0FPRztJQUNILEtBQUssQ0FBQyx5QkFBeUI7UUFDM0IsT0FBTyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLDZCQUE2QixFQUFFLENBQUMsQ0FBQztJQUN2RSxDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSyxnQkFBZ0IsQ0FBQyxVQUFrQjtRQUN2QyxNQUFNLE1BQU0sR0FBRyx3QkFBd0IsQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLFVBQVUsQ0FBQyxDQUFDO1FBQ3BFLElBQUksTUFBTSxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3ZCLE9BQU8sTUFBTSxDQUFDO1FBQ2xCLENBQUM7UUFFRCxNQUFNLE9BQU8sR0FBRyxJQUFBLG1CQUFRLEVBQUMsVUFBVSxFQUFFLE1BQU0sQ0FBQyxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUU7WUFDcEQsd0JBQXdCLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsQ0FBQztZQUN4RCxNQUFNLElBQUksc0JBQXNCLENBQUMsNkNBQTZDLFVBQVUsRUFBRSxDQUFDLENBQUM7UUFDaEcsQ0FBQyxDQUFDLENBQUM7UUFFSCx3QkFBd0IsQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsQ0FBQztRQUU5RCxPQUFPLE9BQU8sQ0FBQztJQUNuQixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNIO1FBQ0ksSUFBSSxDQUFDO1lBQ0QsTUFBTSxFQUFFLGtCQUFrQixFQUFFLEdBQUcsZUFBZSxFQUFFLENBQUM7WUFDakQsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLGtCQUFrQixFQUFFLENBQUM7UUFDM0MsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDYixJQUFJLEtBQUssWUFBWSxLQUFLLEVBQUUsQ0FBQztnQkFDekIsTUFBTSxJQUFJLHNCQUFzQixDQUFDLDRDQUE0QyxLQUFLLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUNsRyxDQUFDO1lBQ0QsTUFBTSxLQUFLLENBQUM7UUFDaEIsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILEtBQUssQ0FBQyxhQUFhLENBQUMsTUFBTSxHQUFHLHdCQUFnQjtRQUN6QyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDO1lBQzVCLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFDO1FBQ3hFLENBQUM7UUFFRCxJQUFJLE1BQU0sR0FBRyx3QkFBZ0IsRUFBRSxDQUFDO1lBQzVCLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyxpQ0FBaUMsd0JBQWdCLEVBQUUsQ0FBQyxDQUFDO1FBQzFGLENBQUM7UUFFRCxJQUFJLENBQUM7WUFDRCxNQUFNLEtBQUssR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDLE1BQU0sQ0FBQyxDQUFDO1lBQ3RELElBQUksQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxJQUFJLEtBQUssQ0FBQyxNQUFNLEtBQUssTUFBTSxFQUFFLENBQUM7Z0JBQ3JELE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO1lBQy9FLENBQUM7WUFFRCxPQUFPLEtBQUssQ0FBQztRQUNqQixDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNiLElBQUksS0FBSyxZQUFZLHNCQUFzQixFQUFFLENBQUM7Z0JBQzFDLE1BQU0sS0FBSyxDQUFDO1lBQ2hCLENBQUM7WUFDRCxJQUFJLEtBQUssWUFBWSxLQUFLLEVBQUUsQ0FBQztnQkFDekIsTUFBTSxJQUFJLDhCQUE4QixDQUNwQyw2QkFBNkIsS0FBSyxDQUFDLE9BQU8sRUFBRSxFQUM1QyxpQkFBaUIsQ0FBQyxLQUFLLENBQUMsQ0FDM0IsQ0FBQztZQUNOLENBQUM7WUFDRCxNQUFNLElBQUksc0JBQXNCLENBQUMsNkJBQTZCLE1BQU0sQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUM7UUFDbkYsQ0FBQztJQUNMLENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxVQUFvQyxFQUFFO1FBQzFELElBQUksQ0FBQztZQUNELE1BQU0sS0FBSyxHQUFHLE9BQU8sQ0FBQyxLQUFLLElBQUksQ0FBQyxNQUFNLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQyxDQUFDO1lBRTVELE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxLQUFLLEVBQUUsT0FBTyxDQUFDLFVBQVUsRUFBRSxPQUFPLENBQUMsT0FBTyxDQUFDLENBQUM7WUFFL0YsSUFBSSxDQUFDLGFBQUssQ0FBQyxLQUFLLENBQUMsNkJBQTZCLEVBQUUsTUFBTSxDQUFDLEVBQUUsQ0FBQztnQkFDdEQsTUFBTSxJQUFJLHNCQUFzQixDQUFDLCtDQUErQyxDQUFDLENBQUM7WUFDdEYsQ0FBQztZQUVELE9BQU8sTUFBTSxDQUFDO1FBQ2xCLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2IsSUFBSSxLQUFLLFlBQVksc0JBQXNCLEVBQUUsQ0FBQztnQkFDMUMsTUFBTSxLQUFLLENBQUM7WUFDaEIsQ0FBQztZQUNELElBQUksS0FBSyxZQUFZLEtBQUssRUFBRSxDQUFDO2dCQUN6QixNQUFNLElBQUksOEJBQThCLENBQ3BDLHVCQUF1QixLQUFLLENBQUMsT0FBTyxFQUFFLEVBQ3RDLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxDQUMzQixDQUFDO1lBQ04sQ0FBQztZQUNELE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyx1QkFBdUIsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUM3RSxDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsS0FBSyxDQUFDLHNCQUFzQixDQUFDLFVBQW9DLEVBQUU7UUFDL0QsSUFBSSxDQUFDO1lBQ0QsTUFBTSxLQUFLLEdBQUcsT0FBTyxDQUFDLEtBQUssSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDLENBQUM7WUFFNUQsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLHNCQUFzQixDQUFDLEtBQUssRUFBRSxPQUFPLENBQUMsVUFBVSxFQUFFLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FBQztZQUVwRyxJQUFJLENBQUMsYUFBSyxDQUFDLEtBQUssQ0FBQyw2QkFBNkIsRUFBRSxNQUFNLENBQUMsRUFBRSxDQUFDO2dCQUN0RCxNQUFNLElBQUksc0JBQXNCLENBQUMsd0RBQXdELENBQUMsQ0FBQztZQUMvRixDQUFDO1lBRUQsT0FBTyxNQUFNLENBQUM7UUFDbEIsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDYixJQUFJLEtBQUssWUFBWSxzQkFBc0IsRUFBRSxDQUFDO2dCQUMxQyxNQUFNLEtBQUssQ0FBQztZQUNoQixDQUFDO1lBQ0QsSUFBSSxLQUFLLFlBQVksS0FBSyxFQUFFLENBQUM7Z0JBQ3pCLE1BQU0sSUFBSSw4QkFBOEIsQ0FDcEMsZ0NBQWdDLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFDL0MsaUJBQWlCLENBQUMsS0FBSyxDQUFDLENBQzNCLENBQUM7WUFDTixDQUFDO1lBQ0QsTUFBTSxJQUFJLHNCQUFzQixDQUFDLGdDQUFnQyxNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ3RGLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILEtBQUssQ0FBQyxpQkFBaUI7UUFDbkIsSUFBSSxDQUFDO1lBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLGlCQUFpQixFQUFFLENBQUM7WUFFdkQsSUFBSSxDQUFDLGFBQUssQ0FBQyxLQUFLLENBQUMsMEJBQTBCLEVBQUUsUUFBUSxDQUFDLEVBQUUsQ0FBQztnQkFDckQsTUFBTSxJQUFJLHNCQUFzQixDQUFDLDJDQUEyQyxDQUFDLENBQUM7WUFDbEYsQ0FBQztZQUVELE9BQU8sUUFBUSxDQUFDO1FBQ3BCLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2IsSUFBSSxLQUFLLFlBQVksc0JBQXNCLEVBQUUsQ0FBQztnQkFDMUMsTUFBTSxLQUFLLENBQUM7WUFDaEIsQ0FBQztZQUNELElBQUksS0FBSyxZQUFZLEtBQUssRUFBRSxDQUFDO2dCQUN6QixNQUFNLElBQUksOEJBQThCLENBQ3BDLGtDQUFrQyxLQUFLLENBQUMsT0FBTyxFQUFFLEVBQ2pELGlCQUFpQixDQUFDLEtBQUssQ0FBQyxDQUMzQixDQUFDO1lBQ04sQ0FBQztZQUNELE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyxrQ0FBa0MsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUN4RixDQUFDO0lBQ0wsQ0FBQztJQUVEOztPQUVHO0lBQ0gsS0FBSyxDQUFDLFNBQVMsQ0FBQyxNQUFtQztRQUMvQyxJQUFJLENBQUM7WUFDRCxNQUFNLEVBQUUsR0FBRyxFQUFFLFVBQVUsRUFBRSxPQUFPLEVBQUUsR0FBRyxNQUFNLENBQUM7WUFFNUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDO2dCQUNkLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyxnQ0FBZ0MsQ0FBQyxDQUFDO1lBQ3ZFLENBQUM7WUFFRCxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLEdBQUcsRUFBRSxVQUFVLEVBQUUsT0FBTyxDQUFDLENBQUM7WUFDckUsSUFBSSxDQUFDLGFBQUssQ0FBQyxLQUFLLENBQUMsaUNBQWlDLEVBQUUsTUFBTSxDQUFDLEVBQUUsQ0FBQztnQkFDMUQsTUFBTSxJQUFJLHNCQUFzQixDQUFDLDBEQUEwRCxDQUFDLENBQUM7WUFDakcsQ0FBQztZQUVELE9BQU8sTUFBTSxDQUFDO1FBQ2xCLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2IsSUFBSSxLQUFLLFlBQVksc0JBQXNCLEVBQUUsQ0FBQztnQkFDMUMsTUFBTSxLQUFLLENBQUM7WUFDaEIsQ0FBQztZQUNELElBQUksS0FBSyxZQUFZLEtBQUssRUFBRSxDQUFDO2dCQUN6QixNQUFNLElBQUksOEJBQThCLENBQ3BDLDRCQUE0QixLQUFLLENBQUMsT0FBTyxFQUFFLEVBQzNDLGlCQUFpQixDQUFDLEtBQUssQ0FBQyxDQUMzQixDQUFDO1lBQ04sQ0FBQztZQUNELE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyw0QkFBNEIsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUNsRixDQUFDO0lBQ0wsQ0FBQztJQUVEOztPQUVHO0lBQ0gsS0FBSyxDQUFDLGNBQWMsQ0FBQyxNQUFvQztRQUNyRCxJQUFJLENBQUM7WUFDRCxNQUFNLEVBQUUsTUFBTSxFQUFFLFVBQVUsRUFBRSxHQUFHLE1BQU0sQ0FBQztZQUV0QyxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksRUFBRSxFQUFFLENBQUM7Z0JBQ2pCLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO1lBQy9FLENBQUM7WUFFRCxJQUFJLENBQUMsVUFBVSxDQUFDLElBQUksRUFBRSxFQUFFLENBQUM7Z0JBQ3JCLE1BQU0sSUFBSSxzQkFBc0IsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO1lBQy9FLENBQUM7WUFFRCxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsY0FBYyxDQUFDLE1BQU0sRUFBRSxVQUFVLENBQUMsQ0FBQztZQUNwRSxJQUFJLENBQUMsYUFBSyxDQUFDLEtBQUssQ0FBQyxrQ0FBa0MsRUFBRSxNQUFNLENBQUMsRUFBRSxDQUFDO2dCQUMzRCxNQUFNLElBQUksc0JBQXNCLENBQUMsMkRBQTJELENBQUMsQ0FBQztZQUNsRyxDQUFDO1lBRUQsT0FBTyxNQUFNLENBQUM7UUFDbEIsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDYixJQUFJLEtBQUssWUFBWSxzQkFBc0IsRUFBRSxDQUFDO2dCQUMxQyxNQUFNLEtBQUssQ0FBQztZQUNoQixDQUFDO1lBQ0QsSUFBSSxLQUFLLFlBQVksS0FBSyxFQUFFLENBQUM7Z0JBQ3pCLE1BQU0sSUFBSSw4QkFBOEIsQ0FDcEMsNkJBQTZCLEtBQUssQ0FBQyxPQUFPLEVBQUUsRUFDNUMsaUJBQWlCLENBQUMsS0FBSyxDQUFDLENBQzNCLENBQUM7WUFDTixDQUFDO1lBQ0QsTUFBTSxJQUFJLHNCQUFzQixDQUFDLDZCQUE2QixNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ25GLENBQUM7SUFDTCxDQUFDOztBQXpRTCw0REEwUUM7QUF6UTJCLG9DQUFXLEdBQUcsSUFBSSxHQUFHLEVBQTJCLENBQUMifQ==

package/dist/nvidia-native-module/nvidia-debug-state-policy.rego

@@ -0,0 +1,45 @@
+package policy
+
+import future.keywords.every
+
+# Returns object at data.policy.nv_match:
+# {
+#   "result": boolean,
+#   "failed_rules": string[]
+# }
+
+default nv_match := {
+  "result": false,
+  "failed_rules": ["No attestation claims provided"]
+}
+
+nv_match := {
+  "result": count(failed_rules) == 0,
+  "failed_rules": failed_rules
+} {
+  count(input) > 0
+  failed_rules := sort([msg | failed_rule[msg]])
+}
+
+# --------------------
+# Failed rules
+# --------------------
+
+failed_rule[sprintf("Device %d: unsupported device type (expected 'gpu')", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") != "gpu"
+}
+
+failed_rule[sprintf("Device %d: secure boot is not enabled", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "secboot", false) != true
+}
+
+failed_rule[sprintf("Device %d: debug mode is not disabled (dbgstat = '%s')", [i, dbgstat])] {
+  some i
+  claim := input[i]
+  dbgstat := object.get(claim, "dbgstat", "")
+  dbgstat != "disabled"
+}

package/dist/nvidia-native-module/nvidia-detailed-policy.rego

@@ -0,0 +1,205 @@
+package policy
+
+import future.keywords.every
+
+# Returns object at data.policy.nv_match:
+# {
+#   "result": boolean,
+#   "failed_rules": string[]
+# }
+
+default nv_match := {
+  "result": false,
+  "failed_rules": ["No attestation claims provided"]
+}
+
+nv_match := {
+  "result": count(failed_rules) == 0,
+  "failed_rules": failed_rules
+} {
+  count(input) > 0
+  failed_rules := sort([msg | failed_rule[msg]])
+}
+
+# --------------------
+# Failed rules
+# --------------------
+
+failed_rule[sprintf("Device %d: measurement result is not 'success'", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "measres", "") != "success"
+}
+
+failed_rule[sprintf("Device %d: unsupported device type (expected 'gpu' or 'nvswitch')", [i])] {
+  some i
+  claim := input[i]
+  device_type := object.get(claim, "x-nvidia-device-type", "")
+  device_type != "gpu"
+  device_type != "nvswitch"
+}
+
+# GPU: attestation report cert chain
+failed_rule[sprintf("GPU %d: attestation report cert chain status is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-status", "") != "valid"
+}
+
+failed_rule[sprintf("GPU %d: attestation report cert chain OCSP status is not good", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-status", "") != "good"
+}
+
+failed_rule[sprintf("GPU %d: attestation report cert chain OCSP nonce does not match", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-nonce-matches", false) != true
+}
+
+failed_rule[sprintf("GPU %d: attestation report cert chain OCSP response is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-response-valid", false) != true
+}
+
+# GPU: driver RIM cert chain
+failed_rule[sprintf("GPU %d: driver RIM cert chain status is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-driver-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-status", "") != "valid"
+}
+
+failed_rule[sprintf("GPU %d: driver RIM cert chain OCSP status is not good", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-driver-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-status", "") != "good"
+}
+
+failed_rule[sprintf("GPU %d: driver RIM cert chain OCSP nonce does not match", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-driver-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-nonce-matches", false) != true
+}
+
+failed_rule[sprintf("GPU %d: driver RIM cert chain OCSP response is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-driver-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-response-valid", false) != true
+}
+
+# GPU: vbios RIM cert chain
+failed_rule[sprintf("GPU %d: VBIOS RIM cert chain status is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-vbios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-status", "") != "valid"
+}
+
+failed_rule[sprintf("GPU %d: VBIOS RIM cert chain OCSP status is not good", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-vbios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-status", "") != "good"
+}
+
+failed_rule[sprintf("GPU %d: VBIOS RIM cert chain OCSP nonce does not match", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-vbios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-nonce-matches", false) != true
+}
+
+failed_rule[sprintf("GPU %d: VBIOS RIM cert chain OCSP response is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "gpu"
+  cert := object.get(claim, "x-nvidia-gpu-vbios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-response-valid", false) != true
+}
+
+# NVSwitch: attestation report cert chain
+failed_rule[sprintf("NVSwitch %d: attestation report cert chain status is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-status", "") != "valid"
+}
+
+failed_rule[sprintf("NVSwitch %d: attestation report cert chain OCSP status is not good", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-status", "") != "good"
+}
+
+failed_rule[sprintf("NVSwitch %d: attestation report cert chain OCSP nonce does not match", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-nonce-matches", false) != true
+}
+
+failed_rule[sprintf("NVSwitch %d: attestation report cert chain OCSP response is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-attestation-report-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-response-valid", false) != true
+}
+
+# NVSwitch: bios RIM cert chain
+failed_rule[sprintf("NVSwitch %d: BIOS RIM cert chain status is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-bios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-status", "") != "valid"
+}
+
+failed_rule[sprintf("NVSwitch %d: BIOS RIM cert chain OCSP status is not good", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-bios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-status", "") != "good"
+}
+
+failed_rule[sprintf("NVSwitch %d: BIOS RIM cert chain OCSP nonce does not match", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-bios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-nonce-matches", false) != true
+}
+
+failed_rule[sprintf("NVSwitch %d: BIOS RIM cert chain OCSP response is not valid", [i])] {
+  some i
+  claim := input[i]
+  object.get(claim, "x-nvidia-device-type", "") == "nvswitch"
+  cert := object.get(claim, "x-nvidia-switch-bios-rim-cert-chain", {})
+  object.get(cert, "x-nvidia-cert-ocsp-response-valid", false) != true
+}