verifier: extend NVIDIA SPDM opaque data parser for newer firmware

josegarvayo-oc · mkulke · commit a7e432648c6a · 2026-02-20T09:33:51.000+01:00
Decode additional fields introduced in later versions of NVIDIA firmware. Found this gap while testing on Azure Confidential VM with H100 GPU. No new test added, but unignored local_verifier_coco test that was failing. Now it pass with this change. Field definitions taken from NVIDIA nvtrust repo: https://github.com/NVIDIA/nvtrust/blob/main/guest_tools/gpu_verifiers/local_gpu_verifier/src/verifier/attestation/spdm_msrt_resp_msg.py Signed-off-by: Jose Garvayo <ext_jose.garvayo@openchip.com>
diff --git a/deps/verifier/src/nvidia/mod.rs b/deps/verifier/src/nvidia/mod.rs
@@ -360,9 +360,6 @@ mod tests {
     // Use the remote verifier with evidence from a CoCo CI run
     #[ignore]
     #[case::remote_verifier_coco(false, "87d8e24ab336adafe228d49e83d745f6dba4ae505372b6a5704820856b343fece279b616efefc2aae21da80cf5581250", include_str!("../../test_data/nvidia/hopper_coco_report1.txt"), include_str!("../../test_data/nvidia/hopper_coco_certs1.txt"), Architecture::Hopper)]
-    // The local verifier does not currently work with this report, which is from a newer device
-    // that has some unknown fields in opaque data.
-    #[ignore]
     #[case::local_verifier_coco(true, "87d8e24ab336adafe228d49e83d745f6dba4ae505372b6a5704820856b343fece279b616efefc2aae21da80cf5581250", include_str!("../../test_data/nvidia/hopper_coco_report1.txt"), include_str!("../../test_data/nvidia/hopper_coco_certs1.txt"), Architecture::Hopper)]
     #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
     async fn test_evaluation(
diff --git a/deps/verifier/src/nvidia/spdm_response.rs b/deps/verifier/src/nvidia/spdm_response.rs
@@ -224,7 +224,8 @@ impl OpaqueData {
                 | OpaqueDataType::Nvdec0Status
                 | OpaqueDataType::Project
                 | OpaqueDataType::ProjectSku
-                | OpaqueDataType::ProtectedPcieStatus => Value::String(
+                | OpaqueDataType::ProtectedPcieStatus
+                | OpaqueDataType::ChipInfo => Value::String(
                     String::from_utf8_lossy(data_bytes)
                         .trim_end_matches('\0')
                         .to_string(),
@@ -235,6 +236,10 @@ impl OpaqueData {
                 ),
                 OpaqueDataType::MsrsCnt => Self::decode_measurement_count(data_bytes)?,
                 OpaqueDataType::SwitchPdi => Self::decode_switch_pdi(data_bytes)?,
+                OpaqueDataType::OpaqueDataVersion => {
+                    Value::Number(Self::decode_le_u64(data_bytes)?.into())
+                }
+                OpaqueDataType::FeatureFlag => Self::decode_feature_flag(data_bytes)?,
                 OpaqueDataType::Invalid => bail!(anyhow!("Hashmap: Invalid OpaqueDataType")),
                 _ => Value::String(hex::encode(data_bytes)),
             };
@@ -316,6 +321,29 @@ impl OpaqueData {
 
         Ok(Value::Object(values))
     }
+
+    fn decode_feature_flag(bytes: &[u8]) -> Result<Value> {
+        let value = Self::decode_le_u64(bytes)?;
+        let feature = match value {
+            0 => "SPT",
+            1 => "MPT",
+            2 => "PPCIE",
+            _ => "unknown",
+        };
+        Ok(Value::String(feature.to_string()))
+    }
+
+    fn decode_le_u64(bytes: &[u8]) -> Result<u64> {
+        if bytes.len() > 8 {
+            bail!("OpaqueDataType integer larger than 8 bytes");
+        }
+        let mut padded = [0u8; 8];
+        let len = bytes.len().min(8);
+        padded[..len].copy_from_slice(&bytes[..len]);
+
+        let value = u64::from_le_bytes(padded);
+        Ok(value)
+    }
 }
 
 #[derive(Clone, Debug, Default)]
@@ -467,6 +495,10 @@ pub enum OpaqueDataType {
     PositionId = 24,
     LockSwitchStatus = 25,
     GpuLinkConn = 32,
+    SysEnableStatus = 33,
+    OpaqueDataVersion = 34,
+    ChipInfo = 35,
+    FeatureFlag = 36,
     #[default]
     Invalid = 255,
 }
@@ -499,6 +531,10 @@ impl OpaqueDataType {
             24 => Some(OpaqueDataType::PositionId),
             25 => Some(OpaqueDataType::LockSwitchStatus),
             32 => Some(OpaqueDataType::GpuLinkConn),
+            33 => Some(OpaqueDataType::SysEnableStatus),
+            34 => Some(OpaqueDataType::OpaqueDataVersion),
+            35 => Some(OpaqueDataType::ChipInfo),
+            36 => Some(OpaqueDataType::FeatureFlag),
             _ => None,
         }
     }
@@ -536,6 +572,10 @@ impl fmt::Display for OpaqueDataType {
             OpaqueDataType::PositionId => write!(f, "position_id"),
             OpaqueDataType::LockSwitchStatus => write!(f, "lock_switch_status"),
             OpaqueDataType::GpuLinkConn => write!(f, "gpu_link_conn"),
+            OpaqueDataType::SysEnableStatus => write!(f, "sys_enable_status"),
+            OpaqueDataType::OpaqueDataVersion => write!(f, "opaque_data_version"),
+            OpaqueDataType::ChipInfo => write!(f, "chip_info"),
+            OpaqueDataType::FeatureFlag => write!(f, "feature_flag"),
             OpaqueDataType::Invalid => write!(f, "invalid"),
         }
     }
