From H100 to B200: How the GPU Data-Security Gap Extends Across the NVIDIA Lineage
By GPU Resource Editorial Staff
A follow-up to “Enterprise AI GPU Data Security at End-of-Life — Part 1: Hardware Architecture and Per-Layer Sanitization” — the same architectural constraints apply to H200, GH200, and the Blackwell generation, with rising value-at-risk per unit.
GPU Resource, in partnership with Cirkadis | June 2026 | Part 3
Research conducted by GPU Resource in partnership with Cirkadis, a leading aftermarket processor of GPUs. Cirkadis is a sponsor company to GPU Resource.
In the preceding article, “Enterprise AI GPU Data Security at End-of-Life — Part 1: Hardware Architecture and Per-Layer Sanitization,” we examined how the data security profile of retired NVIDIA A100 and H100 enterprise AI GPUs created a structural gap for independent ITADs — one that drives risk-averse compliance teams toward physical destruction rather than remarketing. The architectural facts (VBIOS in non-volatile SPI NOR flash; HBM as volatile DRAM; BMC as a persistent management surface with credentials, network topology, and audit logs), combined with NVIDIA’s commercial structure (firmware updates gated behind active Enterprise Support entitlements that do not transfer with the asset), meant that the most defensible 3rd-party sanitization workflow required either client cooperation pre-transfer or NVIDIA-certified partner involvement.
That analysis was deliberately scoped to A100 and H100 because those generations dominate the current secondary-market footprint. The architectural and commercial constraints identified, however, are not specific to those models. They are intrinsic to NVIDIA’s data-center GPU product line, and they extend forward — without modification — through the H200, GH200 Grace Hopper, and the entire Blackwell generation now entering deployment. This brief follow-up summarizes what changes (and what does not) as the analysis extends across the broader lineage.
Same Architecture, More Memory, Higher Stakes
H200 SXM 141GB and H200 NVL 141GB
The H200 uses the same GH100 die as the H100 — the SXM variant simply replaces HBM3 (80GB) with HBM3e (141GB), and the NVL variant carries that into a PCIe form factor with NVLink pairing. From a sanitization standpoint, this is the H100 case unchanged in every architectural respect. The VBIOS firmware lives in the same SPI NOR flash, managed by the same nvfwupd toolchain. The HBM is HBM3e instead of HBM3 — still volatile DRAM, still clears at power-off, still satisfies IEEE 2883 Purge via physics alone. The BMC is the same baseboard component with the same data-residency profile. NVIDIA documents the H200 firmware updates in the same DGX H100/H200 Firmware Update Guide [1] — one toolchain, one Enterprise Support Portal distribution, one entitlement gate. The three-paths framework from the prior article applies without modification.
What changes is the value-at-risk.
A retired H100 SXM trades for $15K–$28K in the current secondary market.
Source: GPU Resource Market Pulse Tool
A retired H200 SXM, when it begins moving through the aftermarket, will trade meaningfully higher given its larger memory capacity and more recent silicon generation [7]. The economic stakes of a shred-rather-than-remarket decision scale accordingly.
GH200 Grace Hopper
The GH200 superchip integrates an H100-class GPU with NVIDIA’s Grace ARM CPU on a single SXM module, paired with 96 GB of HBM3 and 480 GB of LPDDR5 system memory. From the perspective of GPU sanitization, this adds two complications. First, the LPDDR5 system memory is also volatile DRAM and clears at power-off — no additional sanitization burden, but a larger memory footprint to account for in any documented evidence chain. Second, the Grace ARM CPU has its own firmware surface — boot firmware, microcode, management interfaces — distinct from the GPU’s VBIOS. NVIDIA’s firmware update tooling covers both, but the ITAD’s chain-of-custody documentation must now account for both. The Enterprise Support Portal entitlement gate applies identically.
B100 and B200 (Blackwell)
The Blackwell generation is where the picture starts to diverge mechanically while remaining identical in spirit. The B100 and B200 use the same SXM6 form factor, both with 192 GB of HBM3e memory across eight stacks. The fundamental architectural facts — non-volatile VBIOS, volatile HBM, persistent BMC — hold. Three differences are worth flagging:
- The BMC firmware base changed. Older DGX systems (DGX-1 through DGX A100) used AMI BMC firmware, which was the subject of NVIDIA Security Bulletin 5010 (October 2020) and subsequent advisories. The DGX B200 uses openBMC, the open-source baseboard management framework. This is an active vulnerability surface in its own right: NVIDIA disclosed CVE-2024-57258 and CVE-2024-57256 in early 2025, both u-boot vulnerabilities in the openBMC firmware used in DGX B200 [2].
- The HMC (Hopper/Blackwell Management Controller) is a related but distinct firmware layer on HGX baseboards, covered alongside BMC in NVIDIA Security Bulletin 5692 (September 2025) [3] — and explicitly applies across DGX and HGX systems, meaning H100, H200, and B-series platforms all share the management-controller vulnerability surface.
- The DGX B200 Firmware Update Guide [4] confirms the same nvfwupd toolchain, the same .fwpkg distribution model, and the same Enterprise Support Portal access requirement. The entitlement gate identified in the prior article is reaffirmed for Blackwell.
The B200A is a PCIe air-cooled variant of the B200 with the same memory specs, intended for less power-dense deployments. As a PCIe card, it carries the same partial OEM-channel access profile described in the prior article’s “Form-Factor Split” section — Dell, HPE, and Supermicro distribute their own firmware update packages, and Dell’s H100 PCIe pattern (public driver portal, no entitlement gate) is likely to extend to the B200A through the same OEM channels as those vendors mature their Blackwell offerings.
The GB200 superchip combines a B200 GPU with a Grace ARM CPU, mirroring the GH200 pattern with the newer-generation silicon. The GB200 NVL72 rack-scale system packages 72 B200 GPUs across 36 superchips in a single liquid-cooled rack. From a sanitization perspective, the GB200 NVL72 represents the highest-value asset class in the current product line — a single rack carries multiple millions of dollars of recoverable inventory [7], and the access-problem framework applies to every GPU and management controller within it.
What This Means for the ITAD Aftermarket
The three structural facts from the prior article hold across the lineage:
- Firmware update tooling for the GPU layer is nvfwupd, distributed through the NVIDIA Enterprise Support Portal, which requires an active support entitlement that does not transfer with the asset. This is true for H100, H200, GH200, B100, B200, B200A, and GB200 alike.
- The audit-trail-vs-bytes compliance distinction — that IEEE 2883 and R2v3 Appendix B require documented sanitization by an entitled actor — is unchanged.
- The form-factor split (DGX-form-factor fully gated; PCIe variants with partial OEM-channel access) extends to PCIe variants across the lineage (H100 PCIe, H200 NVL, B200A) — and Dell’s pattern of publishing signed VBIOS firmware on its public driver portal without login or warranty entitlement is the most accessible 3rd-party reflash path the broader OEM ecosystem currently offers.
What changes is the scale. The Blackwell generation entering deployment now will reach the secondary market with per-unit values 2-4× higher than the H100 footprint [7], and the GB200 NVL72 rack systems will carry per-asset values orders of magnitude beyond a single GPU. The economic stakes of unresolved sanitization friction are rising as the installed base grows.
Public security advisories from NVIDIA in 2024 and 2025 — covering openBMC u-boot vulnerabilities in DGX B200, FSP code vulnerabilities in the vBIOS firmware of DGX H100/H200 [5], and HMC/BMC vulnerabilities across DGX and HGX systems generally — confirm that the firmware-layer attack surface remains active across the lineage, not retroactively addressed in older generations alone.
Bottom Line
The three-paths framework described in the prior article (Path 1: client-performed pre-transfer sanitization; Path 2: ITAD-as-agent at client site; Path 3: asset-and-firmware bundled transfer for ITAD execution) is the operative practical guidance for H200, GH200, and Blackwell-generation enterprise AI GPUs without modification. Independent ITADs and their clients should treat the lineage applicability as confirmed and prepare their intake-documentation practices, sanitization workflows, and chain-of-custody documentation to accommodate the broader product line — including the new value-at-risk levels that come with it.
The case for NVIDIA, the established media-sanitization standards bodies, and the ITAD certification authorities to converge on a documented enterprise AI GPU sanitization workflow is strengthened, not diminished, by the lineage extension. GPU Resource and Cirkadis continue to engage with the relevant parties on a structured response.
Sources
[1] NVIDIA DGX H100/H200 Firmware Update Guide — docs.nvidia.com/dgx/dgxh100-fw-update-guide/
[2] NVIDIA Security Advisory: u-boot vulnerabilities in openBMC firmware for DGX B200 (CVE-2024-57258, CVE-2024-57256) — disclosed early 2025
[3] NVIDIA Security Bulletin 5692 (September 2025): NVIDIA DGX and HGX HMC and BMC — nvidia.custhelp.com/app/answers/detail/a_id/5692
[4] NVIDIA DGX B200 Firmware Update Guide — docs.nvidia.com/dgx/dgxb200-fw-update-guide/
[5] NVIDIA Security Advisory: FSP code vulnerabilities in vBIOS firmware for DGX H100/H200 (CVE-2025-23302, CVE-2025-23301)
[6] GPU Resource — NVIDIA Datacenter GPU Lineage reference: gpuresource.com/nvidia-datacenter-gpu-lineage/
[7] GPU Resource — GPU Market Pulse pricing tool, real-time secondary-market and refurbished pricing data for NVIDIA data-center GPUs: gpuresource.com/gpu-pulse/gpu-market-pulse-tool/
Coming Next
Coming next — The Other Certificate: GPU Performance Grading as ITAD Due Diligence. Certifying that a GPU is clean is not the same as certifying that it works. The next piece turns from data security to performance integrity — how enterprise GPUs degrade under sustained AI workloads, what the permanent ECC, page-retirement, and XID records reveal, and how NVIDIA’s DCGM diagnostics let an ITAD grade a card’s health before it returns to the secondary market.
