Blueprint, Bootstrap, and Bridge: A Security Look at NVIDIA GPU Confidential Computing

GPU Confidential Computing (GPU-CC), introduced with the NVIDIA Hopper architecture, extends confidential computing protections from CPUs to GPUs, enabling secure execution of AI workloads. For end users, enabling GPU-CC is seamless and requires no modifications to existing applications. However, behind this ease of adoption lies a proprietary and highly complex system whose opacity presents significant challenges for early adopters and system researchers seeking to understand its architecture and security landscape. In this work, we provide a security-focused look at GPU-CC by reconstructing a coherent view of the system. Our analysis begins from the GPU-CC’s blueprint, focusing on the specialized architectural engines that underpin its security design. We then investigate GPU-CC’s bootstrap process, which orchestrates hardware and software components to establish core security mechanisms. Finally, we conduct targeted experiments to evaluate whether, under the GPU-CC’s threat model, data transfers via different data paths remain secure when they cross the bridge between trusted CPU and GPU domains. All security findings presented in this paper have been reported responsibly to the NVIDIA Product Security Incident Response Team (PSIRT).