"Unfortunately, all Nvidia GPUs since recent years have VBIOS digital signature checks, making VBIOS modification impossible"
This is not necessarily true. As seen with android devices you can force digital signature checking mechanisms by varying voltage levels in order to get the device to completely skip the checks as if they were never there.
> I'm sure a similar strategy could be developed here.
Slow down there. Glitching is almost never a practical long term strategy. It can take hours (or even days, depending on the target) to successfully bypass a check just once without other follow on effects. Glitching is useful if you need to bypass some mitigation once, such as to extract cryptographic keys, but it's not something you want to do every time you turn on your PC. Glitching gets substantially less reliable with every passing generation due to scaling (increased density/lower Vth increases the odds that you'll corrupt something else, particularly with EM fault injection) and design complexity (glitching out-of-order cores is a HUGE pain).
Well, I believe there are some modified versions of nvflash floating around that'll let you flash anything with a valid signature.
Of course, the only thing that'll POST are going to be just other vendor images from the same card model usually. (For different power limits, usually)
Glitching almost always requires removing capacitors. Good enough for dumping things out of a device once or twice. But GPUs that consume hundreds of watts will not be stable without those bypass capacitors.
So, sure, you can skip the verification checks, but your GPU won’t be stable enough to be useful for anything
Isn't the flash chip on nvidia boards a generic thing that someone could buy themself, flash using existing eeprom writing gear, then solder onto the board?
Also, as the chip and board here seems like an A100 reference design, using an A100 VBIOS image shouldn't fail any signature checks.
Probably, but the A100 BIOS probably can detect it is running on something other than a A100 and bail.
The lack of memory would be the most obvious difference. The A100 has 80GB, this has 8GB.
And I really suspect Nvidia probably some way of explicitly locking a chip to a given product ID, like efuses that the BIOS firmware can check on boot.
You can just buy same chip if someone somehow decided to check random flash chip vendor.
More sensible way to stopping that would be writing eeprom with encrypted key burned into the GPU itself but I doubt NVIDIA bothered, money loss for few people willing enough to take their GPU apart to replace a chip is insignificiant.
This is not necessarily true. As seen with android devices you can force digital signature checking mechanisms by varying voltage levels in order to get the device to completely skip the checks as if they were never there.
https://research.nccgroup.com/2020/10/15/theres-a-hole-in-yo...
I'm sure a similar strategy could be developed here.