diff --git a/Chart.yaml b/Chart.yaml
index ec3226d..8f6cb49 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -7,4 +7,4 @@ keywords:
 - confidential-containers
 name: trustee
 # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE
-version: 0.3.2
+version: 0.3.3
diff --git a/README.md b/README.md
index f462935..83b21de 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # trustee
 
-![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
+![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square)
 
 A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 
@@ -34,6 +34,7 @@ In order to use this chart, you will need to:
 | kbs.admin.format | string | `"v1.0"` |  |
 | kbs.cosignKeys | string | `"secret/data/hub/coSignKeys"` |  |
 | kbs.extraSecrets | list | `[]` |  |
+| kbs.gpu.enabled | bool | `false` |  |
 | kbs.publicKey | string | `"secret/data/hub/kbsPublicKey"` |  |
 | kbs.secretResources[0].key | string | `"secret/data/hub/kbsres1"` |  |
 | kbs.secretResources[0].name | string | `"kbsres1"` |  |
diff --git a/templates/attestation-policy.yaml b/templates/attestation-policy.yaml
index dbf1660..6219e6c 100644
--- a/templates/attestation-policy.yaml
+++ b/templates/attestation-policy.yaml
@@ -53,4 +53,78 @@ data:
 
     configuration := 2 if {
       input["az-tdx-vtpm"]
-    }
\ No newline at end of file
+    }
+
+    ##### Baremetal TDX
+    executables := 3 if {
+      input["tdx"]
+      input.init_data in query_reference_value("init_data")
+    }
+    hardware := 2 if { input["tdx"] }
+    configuration := 2 if { input["tdx"] }
+
+    ##### Baremetal SNP
+    executables := 3 if {
+      input["snp"]
+      input.init_data in query_reference_value("init_data")
+    }
+    hardware := 2 if { input["snp"] }
+    configuration := 2 if { input["snp"] }
+    {{- if .Values.kbs.gpu.enabled }}
+
+    ##### GPU Attestation (NVIDIA H100/H200) — CPU-class evidence with GPU data
+    hardware := 2 if {
+      input["snp"]
+      input["gpu"]
+    }
+
+    executables := 3 if {
+      input["snp"]
+      input["gpu"]
+      input.init_data in query_reference_value("init_data")
+    }
+
+    configuration := 2 if {
+      input["snp"]
+      input["gpu"]
+    }
+    {{- end }}
+{{- if .Values.kbs.gpu.enabled }}
+  default_gpu.rego: |
+    package policy
+
+    import rego.v1
+
+    default hardware := 97
+    default executables := 33
+    default configuration := 36
+
+    trust_claims := {
+      "executables": executables,
+      "hardware": hardware,
+      "configuration": configuration,
+    }
+
+    hardware := 2 if {
+      input.nvidia
+      input.nvidia["x-nvidia-gpu-attestation-report-cert-chain"]["x-nvidia-cert-status"] == "valid"
+      input.nvidia["x-nvidia-gpu-attestation-report-parsed"]
+      input.nvidia["x-nvidia-gpu-attestation-report-signature-verified"]
+      input.nvidia["x-nvidia-gpu-arch-check"]
+    }
+
+    configuration := 2 if {
+      input.nvidia.secboot
+      input.nvidia.dbgstat == "disabled"
+    }
+
+    executables := 3 if {
+      input.nvidia["x-nvidia-gpu-driver-rim-fetched"]
+      input.nvidia["x-nvidia-gpu-driver-rim-schema-validated"]
+      input.nvidia["x-nvidia-gpu-driver-rim-signature-verified"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-fetched"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-schema-validated"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-signature-verified"]
+      input.nvidia.measres == "success"
+    }
+{{- end }}
\ No newline at end of file
diff --git a/templates/kbs-config-map.yaml b/templates/kbs-config-map.yaml
index 177963e..186a3d5 100644
--- a/templates/kbs-config-map.yaml
+++ b/templates/kbs-config-map.yaml
@@ -52,6 +52,11 @@ data:
     [attestation_service.rvps_config.storage]
     type = "LocalJson"
     file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+    {{- if .Values.kbs.gpu.enabled }}
+
+    [attestation_service.verifier_config.nvidia_verifier]
+    type = "Remote"
+    {{- end }}
 
     [[plugins]]
     name = "resource"
diff --git a/templates/resource-policy.yaml b/templates/resource-policy.yaml
index 2b5851e..56d8a47 100644
--- a/templates/resource-policy.yaml
+++ b/templates/resource-policy.yaml
@@ -12,7 +12,15 @@ data:
     import rego.v1
 
     default allow := false
+    {{- if not .Values.kbs.gpu.enabled }}
 
     allow if {
       input["submods"]["cpu0"]["ear.status"] == "affirming"
-    }
\ No newline at end of file
+    }
+    {{- else }}
+
+    allow if {
+      input["submods"]["cpu0"]["ear.status"] == "affirming"
+      input["submods"]["gpu0"]["ear.status"] == "affirming"
+    }
+    {{- end }}
\ No newline at end of file
diff --git a/templates/rvps-values-policies.yaml b/templates/rvps-values-policies.yaml
index 3ea586f..212f4b9 100644
--- a/templates/rvps-values-policies.yaml
+++ b/templates/rvps-values-policies.yaml
@@ -21,12 +21,29 @@ spec:
         object-templates-raw: |
           {{`{{- $pcr8Hash := fromConfigMap "imperative" "initdata" "PCR8_HASH" -}}`}}
           {{`{{- $debugPcr8Hash := fromConfigMap "imperative" "debug-initdata" "PCR8_HASH" -}}`}}
-          {{`{{- $secretData := (lookup "v1" "Secret" "trustee-operator-system" "pcr-stash").data.json | base64dec | fromJson -}}`}}
+          {{`{{- $rawHash := fromConfigMap "imperative" "initdata" "RAW_HASH" -}}`}}
+          {{`{{- $debugRawHash := fromConfigMap "imperative" "debug-initdata" "RAW_HASH" -}}`}}
+          {{`{{- $rawHashPadded := printf "%s00000000000000000000000000000000" $rawHash -}}`}}
+          {{`{{- $debugRawHashPadded := printf "%s00000000000000000000000000000000" $debugRawHash -}}`}}
+          {{`{{- $referenceValues := list (dict "name" "init_data" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash $rawHashPadded $debugRawHashPadded)) -}}`}}
+          {{`{{- $pcrStash := (lookup "v1" "Secret" "trustee-operator-system" "pcr-stash") -}}`}}
+          {{`{{- if $pcrStash -}}`}}
+          {{`{{- $secretData := $pcrStash.data.json | base64dec | fromJson -}}`}}
           {{`{{- $pcr03 := $secretData.measurements.sha256.pcr03 -}}`}}
           {{`{{- $pcr09 := $secretData.measurements.sha256.pcr09 -}}`}}
           {{`{{- $pcr11 := $secretData.measurements.sha256.pcr11 -}}`}}
           {{`{{- $pcr12 := $secretData.measurements.sha256.pcr12 -}}`}}
-          {{`{{- $referenceValues := list (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- end -}}`}}
           - complianceType: mustonlyhave
             objectDefinition:
               apiVersion: v1
diff --git a/templates/tdx-config.yaml b/templates/tdx-config.yaml
index d854da1..dcf8db2 100644
--- a/templates/tdx-config.yaml
+++ b/templates/tdx-config.yaml
@@ -9,6 +9,7 @@ metadata:
 data:
   sgx_default_qcnl.conf: |
     {
-      "collateral_service": "{{ .Values.kbs.tdx.collateralService }}"
+      "collateral_service": "{{ .Values.kbs.tdx.collateralService }}",
+      "use_secure_cert": false
     }
 {{- end }}
diff --git a/values.yaml b/values.yaml
index 7d2e1af..0df9564 100644
--- a/values.yaml
+++ b/values.yaml
@@ -48,6 +48,10 @@ kbs:
   # exist in the trustee-operator-system namespace.
   extraSecrets: []
 
+  # NVIDIA GPU confidential computing configuration
+  gpu:
+    enabled: false
+
   # Intel TDX (Trust Domain Extensions) configuration
   tdx:
     # Enable TDX attestation support