It’s kinda hard to find out from this website who do you trust in this model. I think the answer is that you trust the hardware manufacturer: the initial attestation uses private key built into the hardware, and NVIDIA could, in principle, have a copy of that key.<p>A bigger question is where is the source code for enclave containers. They have a lot of repos on their GitHub, but it’s really not clear how to use it to reproduce their images.