NVIDIA confidential computing extends CPU trusted execution environments (TEEs) to GPUs, enabling secure GPU workloads in shared cloud or edge infrastructure. This post explains how OpenShift sandboxed containers integrate with NVIDIA Hopper/Blackwell GPUs using hardware-based isolation, encrypted PCIe transfers, and remote attestation via the Red Hat build of Trustee. Key operators involved include Node Feature Discovery, NVIDIA GPU Operator, OpenShift sandboxed containers operator, and the Trustee operator. The attestation flow covers both CPU TEEs (AMD SEV-SNP or Intel TDX) and GPU TEEs, delegating GPU evidence validation to NVIDIA Remote Attestation Service (NRAS). Practical steps for deploying a confidential GPU pod, inspecting attestation tokens, and verifying trustworthiness claims are provided, along with current limitations such as single GPU per confidential container and OpenShift 4.21.9+ requirement.
Table of contents
Confidential computing on NVIDIA GPUsNVIDIA Confidential Computing on GPUs with OpenShiftAttestation of CPU and GPU TEEs with Red Hat build of TrusteeImportant considerations and limitationsNext stepsSort: