Attestation Data Reference

Every inference request through OLLM produces a cryptographic attestation receipt. This receipt contains hardware-generated evidence proving the request was processed inside a unified Trusted Execution Environment; Intel TDX provides the secure VM, and NVIDIA H100 GPUs run confidential GPU compute within that VM. Both layers attest together, the TDX quote and GPU evidence are cryptographically bound by a shared session nonce. The receipt is self-contained and independently verifiable against Intel's and NVIDIA's public PKI.

No trust in OLLM is required to verify these receipts.

Hardware Environment

Model weights and user prompts remain encrypted and are never exposed to the host.

Attestation Flow

The following diagram shows how an inference request flows through the TEE, how attestation evidence is generated, and how it can be independently verified.

Receipt Structure

An attestation receipt contains three components:

1. Intel TDX Quote: CPU-side attestation proving the TEE environment
2. NVIDIA GPU Evidence: per-GPU attestation proving firmware integrity
3. Message Signature: cryptographic binding of the model identity to the request and response

1. Intel TDX Quote

A DCAP (Data Center Attestation Primitives) Quote v4 binary, hex-encoded, signed by Intel's Quoting Enclave.

Contents:

• ECDSA-P256 signature over the quote body
• PCK certificate chain: Platform Certification Key chain rooted in Intel's Root CA
• TD measurements:
  • MRTD — code identity of the Trust Domain
  • RTMRs — runtime measurements
  • MRCONFIGID — configuration identity
• REPORT_DATA (64 bytes):
  • Bytes [0:32]: model_signing_address — identifies the model signing authority
  • Bytes [32:64]: GPU session nonce, binds this quote to the GPU attestations
• TEE TCB SVN: firmware security version number, verifiable against Intel's Provisioning Certification Service

Verification: The quote's ECDSA signature and PCK certificate chain can be validated against Intel's Root CA. TCB status can be checked via Intel's PCS API.

2. NVIDIA GPU Evidence

Per-GPU attestation data for each H100 in the cluster.

Contents:

• X.509 certificate chain: device certificate rooted in NVIDIA's Root CA, revocation status verifiable via NVIDIA's OCSP service
• SPDM measurement report: signed by the GPU's device attestation key, containing measurement blocks per GPU
• Firmware measurements verified against NVIDIA's signed Reference Integrity Manifests (RIMs):
  • Driver firmware measurements
  • VBIOS firmware measurements
• OpaqueData fields (2-byte little-endian TLV format):
  • Driver version
  • VBIOS version
  • Chip SKU
  • Project and project SKU

The OpaqueData fields are used to identify the correct RIM for verification.

Verification: The GPU certificate chain can be validated against NVIDIA's Root CA. Firmware measurements are compared against the signed RIMs fetched from NVIDIA's RIM service.

3. Message Signature (Model Identity)

An ECDSA signature proving which model signed the response and binding the signature to the exact request and response content.

Signed message format:

EIP-191(text: "{model}:{sha256(request_body)}:{sha256(response_body)}")

Fields:

Verification: Recover the Ethereum address from the signature using EIP-191 and confirm it matches message_signer.

Session Binding

The TDX quote and GPU evidence are cryptographically bound by a shared nonce:

1. The GPU attestation nonce appears in the TDX quote's REPORT_DATA[32:64]
2. The same nonce appears in each GPU's SPDM evidence header
3. A match across all GPUs proves every attestation was generated in the same session

This binding ensures that the CPU and GPU attestations are not from separate, unrelated sessions.

External Trust Anchors

All verification is against hardware vendors' public infrastructure, not OLLM's.

Because all trust anchors are external and publicly auditable, verification does not depend on OLLM infrastructure at any point.