[zifpanachr23]

Maybe it's naive of me but I also don't really perceive much of a security imperative for NVIDIA. They make graphics cards and slop generator cards for the most part. What exactly is the threat model here that requires switching to prioritizing memory safety? Are there a lot of graphics card related codes that are being exploited in the wild?

[transpute]

NVIDIA GPU RISC-V root of trust is analogous to Apple T2 secure enclave, AMD PSP, or Intel ME, which all perform security-critical functions.

> What exactly is the threat model here

It probably varies by product, but one commercial possibility is protection of price premiums, e.g. enforce feature segmentation for different products or customers, while using common silicon. NVIDIA operating margin reached 50%, unusually high for a hardware company, https://www.macrotrends.net/stocks/charts/NVDA/nvidia/operat.... AMD margin is below 20%.

2021, https://www.youtube.com/watch?v=l7i1kfHvWNI

2024, https://static.sched.com/hosted_files/riscvsummit2024/fe/Key...

  ~1 Billion RISC-V cores shipping in 2024 NVIDIA chips
  Unified embedded HW and SW across all NVIDIA products
    • Eliminates replication in basic primitives (isolation, crypto etc.)
    • Maximizes SW/HW leverage across NVIDIA
  Configuration: pay only for what is needed
  Custom extensions: additional functionality, security, and performance
  Our HW and SW architecture enable differentiation

There are upcoming open hardware/firmware RoT building blocks like OpenTitan (RISC-V), OCP Caliptra and TockOS (Rust) that could be used by competing device and platform vendors.

> don't really perceive much of a security imperative for NVIDIA

When countries start budgeting hundreds of billions of dollars for national investment in LLM-based AI based on GPUs, they may introduce new security requirements for the underlying infrastructure.

[tonyarkles]

Yeah, there's a whole bunch of places where NVIDIA kit is used outside of "graphics cards and slop generators". I work on a drone system based around the Orin AGX and we definitely have "leverage the root of trust functionality to lock down the code that can run on the Orin" on the roadmap before we ever let the hardware end up directly in customers' hands. Root of trust -> Signed Bootloader -> Signed Kernel -> Signed Binaries. There's too much IP that we've spent too much money on to risk having end-users getting access to the raw TensorRT models involved.

[guipsp]

Are you aware of how the nintendo switch got piracy?