Skip to content

feat: add Nvidia Attestation proto message with its relevant fields and ConfidentialGke options #32429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gcf-owl-bot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add Nvidia Attestation proto message with its relevant fields and ConfidentialGke options #32429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7cf19ec
feat: add Nvidia Attestation proto message with its relevant fields a…
gcf-owl-bot[bot] Feb 6, 2026
40f26b1
🦉 Updates from OwlBot post-processor
gcf-owl-bot[bot] Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions ..._computing-v1/lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,7 @@ def create_challenge request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
#
# @overload verify_attestation(td_ccel: nil, sev_snp_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil)
# @overload verify_attestation(td_ccel: nil, sev_snp_attestation: nil, nvidia_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil)
# Pass arguments to `verify_attestation` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand All @@ -337,6 +337,8 @@ def create_challenge request, options = nil
# Optional. An SEV-SNP Attestation Report.
#
# Note: The following parameters are mutually exclusive: `sev_snp_attestation`, `td_ccel`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
# @param nvidia_attestation [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation, ::Hash]
# Optional. An Nvidia attestation report for GPU and NVSwitch devices.
# @param challenge [::String]
# Required. The name of the Challenge whose nonce was used to generate the
# attestation, in the format `projects/*/locations/*/challenges/*`. The
Expand Down Expand Up @@ -434,7 +436,7 @@ def verify_attestation request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
#
# @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil)
# @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil, nvidia_attestation: nil)
# Pass arguments to `verify_confidential_space` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand Down Expand Up @@ -464,6 +466,9 @@ def verify_attestation request, options = nil
# this information in the attestation.
# @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions, ::Hash]
# Optional. A collection of fields that modify the token output.
# @param nvidia_attestation [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation, ::Hash]
# Optional. An optional Nvidia attestation report, used to populate hardware
# rooted claims for Nvidia devices.
#
# @yield [response, operation] Access the result along with the RPC operation
# @yieldparam response [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
Expand Down Expand Up @@ -543,7 +548,7 @@ def verify_confidential_space request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
#
# @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil)
# @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil, options: nil)
# Pass arguments to `verify_confidential_gke` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand All @@ -555,6 +560,8 @@ def verify_confidential_space request, options = nil
# Required. The name of the Challenge whose nonce was used to generate the
# attestation, in the format projects/*/locations/*/challenges/*. The
# provided Challenge will be consumed, and cannot be used again.
# @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest::ConfidentialGkeOptions, ::Hash]
# Optional. A collection of fields that modify the token output.
#
# @yield [response, operation] Access the result along with the RPC operation
# @yieldparam response [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
Expand Down
13 changes: 10 additions & 3 deletions ...uting-v1/lib/google/cloud/confidential_computing/v1/confidential_computing/rest/client.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ def create_challenge request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
#
# @overload verify_attestation(td_ccel: nil, sev_snp_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil)
# @overload verify_attestation(td_ccel: nil, sev_snp_attestation: nil, nvidia_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil)
# Pass arguments to `verify_attestation` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand All @@ -324,6 +324,8 @@ def create_challenge request, options = nil
# Optional. An SEV-SNP Attestation Report.
#
# Note: The following parameters are mutually exclusive: `sev_snp_attestation`, `td_ccel`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
# @param nvidia_attestation [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation, ::Hash]
# Optional. An Nvidia attestation report for GPU and NVSwitch devices.
# @param challenge [::String]
# Required. The name of the Challenge whose nonce was used to generate the
# attestation, in the format `projects/*/locations/*/challenges/*`. The
Expand Down Expand Up @@ -414,7 +416,7 @@ def verify_attestation request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
#
# @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil)
# @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil, nvidia_attestation: nil)
# Pass arguments to `verify_confidential_space` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand Down Expand Up @@ -444,6 +446,9 @@ def verify_attestation request, options = nil
# this information in the attestation.
# @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions, ::Hash]
# Optional. A collection of fields that modify the token output.
# @param nvidia_attestation [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation, ::Hash]
# Optional. An optional Nvidia attestation report, used to populate hardware
# rooted claims for Nvidia devices.
# @yield [result, operation] Access the result along with the TransportOperation object
# @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
# @yieldparam operation [::Gapic::Rest::TransportOperation]
Expand Down Expand Up @@ -516,7 +521,7 @@ def verify_confidential_space request, options = nil
# @param options [::Gapic::CallOptions, ::Hash]
# Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
#
# @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil)
# @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil, options: nil)
# Pass arguments to `verify_confidential_gke` via keyword arguments. Note that at
# least one keyword argument is required. To specify no parameters, or to keep all
# the default parameter values, pass an empty Hash as a request object (see above).
Expand All @@ -528,6 +533,8 @@ def verify_confidential_space request, options = nil
# Required. The name of the Challenge whose nonce was used to generate the
# attestation, in the format projects/*/locations/*/challenges/*. The
# provided Challenge will be consumed, and cannot be used again.
# @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest::ConfidentialGkeOptions, ::Hash]
# Optional. A collection of fields that modify the token output.
# @yield [result, operation] Access the result along with the TransportOperation object
# @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
# @yieldparam operation [::Gapic::Rest::TransportOperation]
Expand Down
10 changes: 9 additions & 1 deletion ...e-cloud-confidential_computing-v1/lib/google/cloud/confidentialcomputing/v1/service_pb.rb
View file
Open in desktop

Large diffs are not rendered by default.

139 changes: 139 additions & 0 deletions ...oud-confidential_computing-v1/proto_docs/google/cloud/confidentialcomputing/v1/service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ class CreateChallengeRequest
# Optional. An SEV-SNP Attestation Report.
#
# Note: The following fields are mutually exclusive: `sev_snp_attestation`, `td_ccel`. If a field in that set is populated, all other fields in the set will automatically be cleared.
# @!attribute [rw] nvidia_attestation
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation]
# Optional. An Nvidia attestation report for GPU and NVSwitch devices.
# @!attribute [rw] challenge
# @return [::String]
# Required. The name of the Challenge whose nonce was used to generate the
Expand Down Expand Up @@ -99,6 +102,116 @@ class VerifyAttestationRequest
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# An Nvidia attestation report for GPU and NVSwitch devices.
# Contains necessary attestation evidence that the client collects for
# verification.
# @!attribute [rw] spt
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::SinglePassthroughAttestation]
# Single GPU Passthrough (SPT) attestation.
#
# Note: The following fields are mutually exclusive: `spt`, `ppcie`, `mpt`. If a field in that set is populated, all other fields in the set will automatically be cleared.
# @!attribute [rw] ppcie
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::ProtectedPcieAttestation]
# Protected PCIe (PPCIE) attestation.
#
# Note: The following fields are mutually exclusive: `ppcie`, `spt`, `mpt`. If a field in that set is populated, all other fields in the set will automatically be cleared.
# @!attribute [rw] mpt
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::MultiGpuSecurePassthroughAttestation]
# Multi-GPU Secure Passthrough (MPT) attestation.
#
# Note: The following fields are mutually exclusive: `mpt`, `spt`, `ppcie`. If a field in that set is populated, all other fields in the set will automatically be cleared.
class NvidiaAttestation
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods

# GpuInfo contains the attestation evidence for a GPU device.
# @!attribute [rw] uuid
# @return [::String]
# Optional. The UUID of the GPU device.
# @!attribute [rw] driver_version
# @return [::String]
# Optional. The driver version of the GPU.
# @!attribute [rw] vbios_version
# @return [::String]
# Optional. The vBIOS version of the GPU.
# @!attribute [rw] gpu_architecture_type
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::GpuArchitectureType]
# Optional. The GPU architecture type.
# @!attribute [rw] attestation_certificate_chain
# @return [::String]
# Optional. The raw attestation certificate chain for the GPU device.
# @!attribute [rw] attestation_report
# @return [::String]
# Optional. The raw attestation report for the GPU device.
# This field contains SPDM request/response defined in
# https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.1.0.pdf
class GpuInfo
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# SwitchInfo contains the attestation evidence for a NVSwitch device.
# @!attribute [rw] uuid
# @return [::String]
# Optional. The UUID of the NVSwitch device.
# @!attribute [rw] attestation_certificate_chain
# @return [::String]
# Optional. The raw attestation certificate chain for the NVSwitch device.
# @!attribute [rw] attestation_report
# @return [::String]
# Optional. The raw attestation report for the NvSwitch device.
# This field contains SPDM request/response defined in
# https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.1.0.pdf
class SwitchInfo
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# Single GPU Passthrough (SPT) attestation.
# @!attribute [rw] gpu_quote
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::GpuInfo]
# Optional. Single GPU quote.
class SinglePassthroughAttestation
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# Protected PCIe (PPCIE) attestation.
# Eight Hopper GPUs with Four NVSwitch Passthrough.
# @!attribute [rw] gpu_quotes
# @return [::Array<::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::GpuInfo>]
# Optional. A list of GPU infos.
# @!attribute [rw] switch_quotes
# @return [::Array<::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::SwitchInfo>]
# Optional. A list of SWITCH infos.
class ProtectedPcieAttestation
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# MultiGpuSecurePassthroughAttestation contains the attestation evidence
# for a Multi-GPU Secure Passthrough (MPT) attestation.
# @!attribute [rw] gpu_quotes
# @return [::Array<::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation::GpuInfo>]
# Optional. A list of GPU quotes.
class MultiGpuSecurePassthroughAttestation
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end

# GpuArchitectureType enumerates the supported GPU architecture types.
module GpuArchitectureType
# Unspecified GPU architecture type.
GPU_ARCHITECTURE_TYPE_UNSPECIFIED = 0

# Hopper GPU architecture type.
GPU_ARCHITECTURE_TYPE_HOPPER = 8

# Blackwell GPU architecture type.
GPU_ARCHITECTURE_TYPE_BLACKWELL = 10
end
end

# A TDX Attestation quote.
# @!attribute [rw] ccel_acpi_table
# @return [::String]
Expand Down Expand Up @@ -355,6 +468,10 @@ class ContainerImageSignature
# @!attribute [rw] options
# @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions]
# Optional. A collection of fields that modify the token output.
# @!attribute [rw] nvidia_attestation
# @return [::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation]
# Optional. An optional Nvidia attestation report, used to populate hardware
# rooted claims for Nvidia devices.
class VerifyConfidentialSpaceRequest
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
Expand Down Expand Up @@ -431,9 +548,31 @@ class VerifyConfidentialSpaceResponse
# Required. The name of the Challenge whose nonce was used to generate the
# attestation, in the format projects/*/locations/*/challenges/*. The
# provided Challenge will be consumed, and cannot be used again.
# @!attribute [rw] options
# @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest::ConfidentialGkeOptions]
# Optional. A collection of fields that modify the token output.
class VerifyConfidentialGkeRequest
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods

# Token options for Confidential GKE attestation.
# @!attribute [rw] audience
# @return [::String]
# Optional. Optional string to issue the token with a custom audience
# claim. Required if custom nonces are specified.
# @!attribute [rw] nonce
# @return [::Array<::String>]
# Optional. Optional parameter to place one or more nonces in the eat_nonce
# claim in the output token. The minimum size for JSON-encoded EATs is 10
# bytes and the maximum size is 74 bytes.
# @!attribute [rw] signature_type
# @return [::Google::Cloud::ConfidentialComputing::V1::SignatureType]
# Optional. Optional specification for how to sign the attestation token.
# Defaults to SIGNATURE_TYPE_OIDC if unspecified.
class ConfidentialGkeOptions
include ::Google::Protobuf::MessageExts
extend ::Google::Protobuf::MessageExts::ClassMethods
end
end

# VerifyConfidentialGkeResponse response is returened once a Confidential GKE
Expand Down
Loading
Loading