NVIDIA’s GPU Confidential Computing (GPU-CC) systems suffer from insufficient security research transparency due to undocumented specifications, closed ecosystems, and architectural complexity. Method: This work presents the first systematic reverse-engineering of GPU-CC on the Hopper architecture, integrating open-source driver analysis, kernel module dynamic observation, cross-source fragmented information synthesis, and security-driven reasoning to reconstruct a complete logical model of the opaque GPU-CC architecture. Contribution/Results: It uncovers the security-critical GPU–CPU collaboration logic during trusted boundary extension and delivers verifiable inferences about otherwise unobservable components. The study identifies multiple security weaknesses and attack surfaces, all validated by NVIDIA PSIRT. It establishes the first threat modeling and deep analysis framework tailored for GPU-CC, providing foundational theory and practical methodology for securing AI workloads and enabling privacy-preserving computation.

GPU Confidential Computing (GPU-CC) was introduced as part of the NVIDIA Hopper Architecture, extending the trust boundary beyond traditional CPU-based confidential computing. This innovation enables GPUs to securely process AI workloads, providing a robust and efficient solution for handling sensitive data. For end users, transitioning to GPU-CC mode is seamless, requiring no modifications to existing AI applications. However, this ease of adoption contrasts sharply with the complexity of the underlying proprietary systems. The lack of transparency presents significant challenges for security researchers seeking a deeper understanding of GPU-CC's architecture and operational mechanisms. The challenges of analyzing the NVIDIA GPU-CC system arise from a scarcity of detailed specifications, the proprietary nature of the ecosystem, and the complexity of product design. In this paper, we aim to demystify the implementation of NVIDIA GPU-CC system by piecing together the fragmented and incomplete information disclosed from various sources. Our investigation begins with a high-level discussion of the threat model and security principles before delving into the low-level details of each system component. We instrument the GPU kernel module -- the only open-source component of the system -- and conduct a series of experiments to identify the security weaknesses and potential exploits. For certain components that are out of reach through experiments, we propose well-reasoned speculations about their inner working mechanisms. We have responsibly reported all security findings presented in this paper to the NVIDIA PSIRT Team.