NVIDIA TEE Threat Model
Threat Categories
Hardware Attacks
- Physical Tampering: Mitigated by secure boot and hardware security module
- Cold Boot Attacks: Prevented by hardware memory encryption with ephemeral keys
- Side Channels: Partially mitigated; timing and power analysis remain research areas
Software Attacks
- Malicious Host OS: TEE isolation prevents host access to GPU memory
- Hypervisor Compromise: Direct GPU access bypasses hypervisor layer
- Driver Attacks: Signed drivers with attestation verification
Multi-Tenancy Risks
- Cross-Partition Leakage: MIG hardware isolation with independent keys
- Resource Exhaustion: Hardware-enforced quotas per partition
- Shared Component Attacks: L2 cache partitioning reduces attack surface
Risk Assessment
| Attack Vector | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Physical Access | Low | High | Implemented |
| Host Compromise | Medium | High | Implemented |
| Side Channels | Medium | Medium | In Progress |
| Supply Chain | Low | High | Implemented |
| Network Attacks | Medium | Medium | Implemented |
Residual Risks
Known Limitations
- Some microarchitectural side channels not fully mitigated
- GPU driver remains in trusted computing base
- Performance vs security trade-offs for certain optimizations
Recommendations
- Always verify attestation before deploying sensitive workloads
- Implement application-level encryption for defense in depth
- Monitor for unusual GPU behavior patterns
External Resources
Return to NVIDIA TEE Overview