The Invisible Attack Surface: Verifying the Linux AI Inference Supply Chain from Kernel Modules to Model Weights:

Modern AI inference servers on Linux are no longer a single application. A typical vLLM or SGLang deployment depends on the Linux kernel, GPU kernel modules, CUDA, NCCL, PyTorch, Triton, container images, model weights, tokenizers, and optional LoRA adapters. Each layer is part of the runtime trust chain, but today most operators cannot prove what is actually running once the service is live.

This talk presents an open-source prototype for AI inference supply-chain verification on Linux. The system generates an AI-aware SBOM, records runtime provenance, verifies OCI image signatures with Sigstore and cosign, checks model weight hashes, inspects GPU kernel modules, and detects tampered artifacts in a live vLLM deployment.

The goal is simple: extend Linux supply chain security practices to the AI inference stack, from operating system components to model artifacts.