GPU + CPU Requirements for TEE Mode

This guide outlines the core requirements and technical insights for GPU + CPU TEE compatibility, including supported setups, unsupported options, and hardware selection criteria for confidential computing and onboarding to Super Protocol.

As of Jan 15, 2025

This document is subject to periodic updates as new hardware, drivers, and validation data become available – or as such information is confirmed by or reported to Super Protocol.

For the most accurate and up-to-date guidance, always consult your provider directly when making a decision.

Core TEE Requirements

1. TEE Mode Compatibility

The system's CPU and GPU must both support TEE mode and be fully compatible with each other to operate in confidential mode.

2. Recommended Instance Types

Bare Metal or Colocation Hosting
For Google Cloud — use Confidential Virtual Machine (CVM) — with Super OS image
Support for CVMs from other cloud providers will be added in upcoming Super Protocol releases

3. Supported GPU + CPU Configurations

3.1 Hopper (H100, H200)

Google Cloud CVM with NVIDIA H100 and Intel TDX (A3 machine series)
Single-GPU Servers. H100/H200 (PCIe or NVL). Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
- AMD CPU: Starting from AMD EPYC Genoa (9xx4 series) with AMD SEV-SNP.
4-GPU HGX Systems (SXM). Only 4x H100 in SXM5 form-factor that come with NVLink. Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
- AMD CPU: Starting from AMD EPYC Genoa (9xx4 series) with AMD SEV-SNP.
8-GPU HGX Systems (SXM). Only 8x H100 NVL / H200 in SXM5 form-factor that come with NVLink & 4 NVSwitches. Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
- AMD CPU: Starting from AMD EPYC Genoa (9xx4 series) with AMD SEV-SNP.

3.2 Blackwell (B200, RTX PRO 6000)

DGX B200 System. 8x Blackwell GPUs with NVLink & 4 NVSwitches. Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
HGX B200 System. 8x Blackwell GPUs with NVLink & 4 NVSwitches. Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
- AMD CPU: Starting from AMD EPYC Genoa (9xx4 series) with AMD SEV-SNP.
RTX PRO 6000 Blackwell Server Edition. Paired with:
- Intel CPU: Starting from 5th Gen Intel Xeon (x5xx series - Emerald Rapids) with Intel TDX. Memory configuration must comply with Intel TDX requirements.
- AMD CPU: Starting from AMD EPYC Genoa (9xx4 series) with AMD SEV-SNP.

3.3 Expected

Blackwell Architecture:

HGX/DGX B300 System.
RTX PRO 6000 Blackwell Workstation and Max-Q Workstation Editions.

Rubin Architecture:

Vera Rubin NVL72. 72x Rubin GPUs, 36x Vera CPUs.
DGX Rubin NVL8. 8x Rubin GPUs, 2x Intel Xeon 6776P processors.
HGX Rubin NVL8.

More information will be provided at a later time.

TECHNICAL INSIGHTS

1. Hopper vs Blackwell in TEE Mode

Unlike DGX/HGX Hopper-based systems (H100/H200), which support either single-GPU passthrough or full-platform passthrough (e.g., 8-GPU systems), Blackwell-based platforms (such as B200 and RTX PRO 6000) introduce greater flexibility and enhanced inter-GPU security in TEE mode.

They may be configured to run both TEE and non-TEE virtual machines (VMs) on the same system. However, for bare metal servers, where the entire machine is dedicated to a single user, this distinction may be less relevant.

Blackwell-based HGX/DGX systems with NVLink are expected to support configurations with 1, 2, 4, or 8 GPUs in TEE mode, providing significantly more deployment options than previous-generation systems.

1.1 Hopper (Confidential Computing Driver)

Hopper GPUs support two TEE modes:

Single GPU Passthrough (SPT CC): 1 GPU per Confidential VM (CVM). Multiple CVMs may run on the same node, each with 1 GPU.
Multi-GPU Passthrough (PPCIe CC): All 8 GPUs within the physical platform are passed through to a single CVM. CPU–GPU traffic is encrypted via a bounce buffer, but GPU–GPU communication over NVLink or NVSwitch is not hardware-encrypted.

Hopper does not support partial GPU allocation within a larger multi-GPU platform.

1.2 Blackwell (R590 TRD1 Driver)

Blackwell expands multi-GPU TEE capabilities:

Multiple GPU Passthrough (MPT CC): The R590 TRD1 driver enables MPT CC on supported HGX B200 and B200-850 (8-GPU, SXM6 180GB HBM3e, AC) platforms. Within a supported multi-GPU platform, 1, 2, 4, or 8 GPUs may be assigned to a single Confidential VM (CVM). CPU–GPU traffic is encrypted via bounce buffers, while GPU–GPU communication within the same CVM occurs over hardware-encrypted NVLink connections.
This enables granular GPU allocation and extends the trusted boundary across multiple GPUs within a CVM.
Single GPU Passthrough (SPT CC): The R590 TRD1 driver also supports 1 GPU per CVM under SPT CC mode.
Mixed Deployment: Blackwell systems may also support mixed TEE and non-TEE virtual machines on the same physical server, subject to configuration. However, for bare metal servers, where the entire machine is dedicated to a single user, this distinction may be operationally less relevant.

Refer to official NVIDIA Confidential Computing driver documentation for SKU-level compatibility and supported modes.

2. NVIDIA RTX PRO 6000 Blackwell

NVIDIA has released Confidential Computing (TEE) driver support for the RTX PRO 6000 Blackwell Server Edition, starting with driver R580 TRD1. TEE functionality is currently available only for the Server Edition, while the Workstation and Max-Q Editions are expected to add support in future releases. Super plans to validate this release in upcoming tests. For now, the available information is based on NVIDIA’s official documentation.

The release of RTX PRO 6000 Blackwell Server Edition makes TEE support much more flexible in various topologies.

Currently, only the SPT CC mode is supported. However, it is expected that TEE workloads will no longer be restricted to the systems with only 1 or 8 GPUs. Blackwell-based systems like RTX Pro 6000, which do not include NVLink, allow 1 to 8 GPUs (1, 2, 3, 4, 5, 6, 7, or 8) to operate in a single TEE instance, provided all components meet Confidential Computing requirements. The efficiency of some configurations (e.g., 2 or 3 GPUs) is still to be evaluated.
It is also expected that TEE and non-TEE VMs can operate together within the same system, following specific setup instructions.

RTX PRO 6000 Blackwell servers will be available in three editions: Server Edition, Workstation Edition, and Max-Q Workstation Edition. All editions are expected to support Bounce Buffer Confidential Computing, once the necessary drivers are released. Hardware and platform requirements may vary by edition.

3. Intel CPU Support for TEE

⚠️ 4th Gen Intel Xeon (Sapphire Rapids)
Intel supplied 4th Gen Xeon CPUs with TDX support exclusively to Google Cloud Platform, Microsoft Azure, IBM, and Alibaba. Only these cloud providers can offer instances with TEE-enabled 4th Gen Intel Xeon CPUs. All 4th Gen Intel Xeon CPUs from any other sources (cloud providers, OEMs, etc.) do not support Intel TDX.

✅ For all other cases, TDX support begins with the 5th Gen Xeon (Emerald Rapids) and newer — including Sierra Forest, Granite Rapids, and beyond.

However, Intel TDX support alone may not be sufficient for NVIDIA GPU TEE workloads. NVIDIA certifies platforms based on CPU generation (among other factors), and in some cases, OEMs support only specific CPU models (SKUs) to ensure proper functionality in GPU TEE mode.

Note: These compatibility requirements apply to both Intel TDX and AMD SEV-SNP based systems.

4. Certification vs Functioning

NVIDIA certifies platforms based on public upstream Long-Term Support (LTS) Linux kernels.
The formal qualification and certification process depends on features being upstreamed, and since Confidential Computing was only recently added, official GPU+CPU TEE certifications are not yet available. Updates to the certified configuration list are expected in the coming months.

For validated information, always refer to NVIDIA’s official qualification and certification catalog.

In the meantime, NVIDIA has published several articles outlining which GPU and CPU combinations are capable of supporting NVIDIA Confidential Computing.

Based on this information, our compatibility table of OEM server models supporting GPU+CPU TEE includes two categories:

Supported (Unofficial): Referenced in NVIDIA articles as GPU TEE-capable, but not yet officially certified.
Likely Supported: Not explicitly referenced by NVIDIA, configurations meet key requirements for GPU TEE and show strong indicators of compatibility.

5. OEM Validation Practices

OEMs are not required to conduct separate testing for TEE mode. While OEMs may not officially validate systems for TEE configurations, they often limit available configurations to those more likely to function reliably, especially in scenarios involving TEE workloads.

Additionally, many OEMs confirm that if TEE is part of the GPU feature set and all components meet the necessary requirements, TEE functionality is expected to work as intended.

Note: However, caution is advised with brand-new server models that have not yet been widely tested in the field. We’ve encountered cases where a newly launched system did not meet the OEM’s own standards for TEE readiness and required additional adjustments or testing. Actual outcomes may vary depending on the OEM and their internal validation processes.

Until formal certification is available — or the system has proven field use in TEE mode — testing the full configuration in a real or pilot environment remains the most reliable way to confirm compatibility.

6. System Configuration Matters

⚠️ Always consult directly with your OEM or hardware reseller to verify that your specific system configuration (including BIOS/Firmware versions, memory (DIMMs) and OS validation) fully meets the requirements for Intel TDX, AMD SEV-SNP, NVIDIA GPU TEE, and your intended confidential computing workloads.

In some cases, ODMs had TEE-related BIOS settings hidden by default, making it impossible to enable TEE on otherwise compatible CPUs (AMD SEV-SNP in our case) — simply because TEE was not part of their expected use case. It can be solved but requires extra effort and time.

⚠️ Some cloud providers claimed to offer Intel TDX-enabled instances, but the required DIMM configuration (i.e., main memory setup) was not met, preventing TEE mode from being properly enabled.

As a result, the instance could not be used in TEE mode until it was replaced with the correctly configured memory setup.
In some cases, it was not possible at all due to unavailable memory options, or required revising quote commits since the configuration fell outside standard offerings.

7. Unsupported Configurations

The configurations below are not compatible for use in TEE mode in their current form.

❌ GPU Configurations:

⚠️ (Temporarily) RTX PRO 6000 Blackwell Workstation and Max-Q Editions - until drivers are released. TEE functionality is currently available only for the RTX PRO 6000 Blackwell Server Edition, while the Workstation and Max-Q Editions are expected to add support in future releases.
B300 TEE enablement dates are not yet available
72 GPU setups.
HGX 8 GPU PCIe systems. NVSwitches must be present instead of PCIe switches for the topology checks to be passed. As a result, PCIe cards with bridges will not pass PPCIe attestation.
DGX H100 (4th Gen Intel Xeon SKUs (non-TEE) and 8 x H100 (TEE-capable) → Incompatible with TEE mode.
NVIDIA Grace CPU: While Blackwell and Hopper GPUs can operate in TEE mode, TEE requires a TEE-capable CPU. The current NVIDIA Grace CPUs do not support TEE, as they were developed and released before ARM finalized its hardware-based TEE technology (CCA).
- GH200 Grace Hopper Superchip: Combines 1 Hopper GPU (TEE-capable) with 1 Grace CPU (non-TEE) → Incompatible with TEE mode.
- NVIDIA GB200 NVL2: Combines 2 Blackwell GPUs with two Grace CPUs (non-TEE) → Incompatible with TEE mode.
- NVIDIA GB200 NVL72: Combines 72 Blackwell GPUs with two Grace CPUs (non-TEE) → Incompatible with TEE mode.
HGX B100 Systems. Although some OEMs offer such systems, for planning and compatibility purposes, we focus only on officially announced products by NVIDIA, such as HGX B200 and B300, which come with publicly available guides and reference documentation.

❌ CPU Configurations (when paired with GPU TEEs):

4th Gen Intel Xeon Scalable CPUs (aka Sapphire Rapids) — if not offered by Google Cloud Platform, Microsoft Azure, IBM, or Alibaba — these CPUs do not support Intel TDX and cannot be used for confidential computing with GPU TEEs.
AMD EPYC Milan (7xx3 series) with basic SEV-SNP support. Super Protocol supports only AMD SEV-SNP starting from AMD Genoa CPUs, which align with its security requirements for decentralized architectures.
NVIDIA Grace CPUs: Current models lack TEE support, making them incompatible with GPU TEE requirements.

8. More about NVIDIA's Confidential Computing mode

Secure AI Compatibility Matrix: supported combinations of NVIDIA GPUs, VBIOS versions, CUDA driver versions, and Confidential Computing modes.
Confidential Computing General Access on NVIDIA H100 Tensor Core GPUs; H100 PCle and H100 NVL form factors.
Confidential Computing on NVIDIA Hopper H100 PCIe and HGX H100 8-GPU.
Secure AI General Availability on NVIDIA HGX H100 8-GPU and NVIDIA HGX H200 8-GPU.
Blackwell TEE: NVIDIA Talk & Slides
NVIDIA Vera Rubin NVL72