Confidential Compute
One attestation verifier, orthogonal hardware Kinds — TEE/GPU remote attestation for custody and confidential AI on Lux
Confidential Compute & Attestation
Lux runs a single attestation primitive — luxfi/cc (github.com/luxfi/cc,
package attest) — that verifies hardware-rooted remote attestation evidence
from CPUs and GPUs. One Verifier, a set of orthogonal hardware Kinds.
Everything that needs to prove "this code ran inside genuine, measured
confidential hardware" goes through it: the MPC custody release gate, the
optional TEE custody extension, and the confidential-AI / proof-of-AI control
plane.
Attestation is its own orthogonal concern. luxfi/cc depends on none of
its consumers — not luxfi/mpc, not luxfi/tee, not the AI stack. They
depend on it. This is the decomplected seam: one verifier, many callers.
One Verifier, Orthogonal Kinds
A Kind tags the evidence framing the verifier dispatches to. The caller
supplies the Kind out-of-band (e.g. from an envelope's framing field), so the
verifier never guesses from byte heuristics.
// github.com/luxfi/cc/attest
type Verifier interface {
Verify(ctx context.Context, evidence []byte, opts ...Option) (*VerifiedReport, error)
}
// Dispatch routes evidence to the verifier registered for kind.
func Dispatch(ctx context.Context, kind Kind, evidence []byte, opts ...Option) (*VerifiedReport, error)Verify means all of: the bytes parse as the claimed Kind, the signing key
chains to the pinned vendor root, the report signature is cryptographically
valid, and any caller-supplied policy options pass. On any failure the error is
non-nil and the report pointer is nil — callers must refuse the originating
request. A failed verify never falls back to "best effort".
Hardware Vendor Matrix
The verifier is a multi-Kind framework. The six vendors below are the full set
wired in released luxfi/cc v0.2.0 — every one a real verifier (no stubs),
verified against attest/{sev,tdx,sgx,nvtrust,nitro,armcca}.go with go test -race green.
Kind (kind string) | Vendor | Hardware | Status | What is verified |
|---|---|---|---|---|
KindSEVSNP (sev_snp) | AMD | SEV-SNP CPU | Production | Live VCEK fetch from AMD KDS; full ARK → ASK → VCEK chain + report-signature verify (google/go-sev-guest); 48-byte launch digest |
KindTDX (tdx) | Intel | TDX CPU | Production | DCAP v4 quote via google/go-tdx-guest + Intel PCS; TCB + revocation enforced; measurement = SHA-384(MRTD ‖ RTMR0..3) |
KindSGX (sgx) | Intel | SGX enclave | Production | Pure-Go DCAP ECDSA Quote v3; chains to the pinned genuine Intel SGX Root CA; MRENCLAVE |
KindNVTrust (nvtrust) | NVIDIA | Confidential GPU | Production | SPDM device-cert chain to the pinned NVIDIA root + NVIDIA-signed RIM measurement match (local, cloud-free); EAT/NRAS remote path |
KindARMCCA (arm_cca) | ARM | CCA Realms | Production | RATS CMW(tag-907)/EAT(tag-399) CBOR + COSE_Sign1; platform(CPAK) → realm(RAK) binding; RIM measurement |
KindNitro (nitro) | AWS | Nitro Enclave | Production | COSE_Sign1 attestation doc; leaf P-384 → pinned AWS Nitro Root G1; PCR0 measurement |
All six are real verifiers as of v0.2.0. (At v0.1.0 only SEV-SNP and
nvtrust were live and TDX was a fail-loud stub; v0.2.0 made all six genuine.)
Dispatch is one registry: each Kind self-registers via func init() into a
single map, and Dispatch is a registry lookup (RegisteredVerifier) that
returns ErrUnsupportedKind for an unregistered Kind — there is no per-Kind
switch. Adding a vendor is one new file that registers a new Kind; no
caller changes.
Trust anchors are pinned, never read from the evidence — and some vendors need
out-of-band collateral. ARM CCA has no universal embedded root: the CPAK is
provisioned per-SoC by the silicon vendor and must be pinned via
ARMCCA.TrustAnchors (a CCA endorsement / CoRIM). AMD's ARK ships embedded;
NVIDIA's RIM key and AWS's Nitro Root G1 are pinned by the verifier. Tests
replay real vendor collateral (AMD KDS, Intel PCS, genuine CCA/Nitro tokens) —
never live network calls.
For NVIDIA there are two surfaces: the local RIM-match verifier (production,
no cloud dependency — the operator pins the NVIDIA RIM signing key) and the
remote attest/nvidia.NRASClient primitive that talks to NVIDIA's Remote
Attestation Service. Device-certificate SPDM chaining is the remote NRAS path;
the local path covers RIM-signature + measurement integrity.
The Verified Report
Every successful verify yields a kind-agnostic VerifiedReport. The integrity
anchor is CompositeHash = sha256(Kind || canonical-verified-bytes) — a release
gate, scheduler, or indexer logs this as the attestation root, and two evidences
with the same composite hash produced byte-identical verifier output.
| Field | Meaning |
|---|---|
Kind | The verifier that produced the report |
Vendor | Canonical issuer (amd.sev.snp, intel.tdx, intel.sgx.dcap, nvidia.nvtrust.local/.nras, arm.cca, aws.nitro.enclaves) |
Measurement | The launch-measurement the hardware attests to (SEV-SNP 48-byte LD digest; TDX SHA-384(MRTD‖RTMR0..3); SGX MRENCLAVE; NVIDIA per-driver+VBIOS RIM digest; ARM CCA RIM; Nitro PCR0) |
ReportData | The 64-byte caller-supplied challenge field — the caller proved freshness by binding their nonce here before attestation |
ChipID | Silicon identity (SEV-SNP VCEK CHIP_ID; TDX/SGX PCK descriptor; per-GPU UUID; Nitro/CCA platform instance id) |
CompositeHash | sha256(Kind ‖ canonical bytes) — the logged attestation root |
Policy Binding
Verification policy is bound per-call with composable options. The caller binds the nonce it issued so the quote cannot be replayed, and pins a known-good launch measurement:
report, err := attest.Dispatch(ctx, attest.KindSEVSNP, evidence,
attest.WithExpectedReportData(myNonce), // refuse if the quote didn't bind my nonce
attest.WithExpectedMeasurement(goldenDigest), // pin a known-good launch digest
)
if err != nil {
return fmt.Errorf("attestation refused: %w", err) // do NOT release, do NOT fall back
}For NVIDIA GPU evidence the operator supplies the signed RIM and the trust roots that may sign it; an empty trust-root set is refused — there is no insecure mode:
report, err := attest.Dispatch(ctx, attest.KindNVTrust, evidence,
attest.WithNVTrustRIM(signedRIM),
attest.WithNVTrustTrustRoots(operatorPinnedKeys), // empty set → refuse
)Trust anchors are pinned, never trusted from the evidence
- AMD ARK/ASK ship embedded with
go-sev-guest; the chain is validated to the AMD root, never to a key carried in the evidence. - The NVIDIA RIM signing key is operator-supplied via
WithNVTrustTrustRoots— no insecure default. - Tests never hit the network: AMD KDS responses are pre-fetched and replayed.
Two Use Cases, One Verifier
The same verifier serves two orthogonal control planes.
Custody — attested TEE signing
The MPC custody release gate (luxfi/mpc) and the optional TEE custody
extension (luxfi/tee) verify a CPU/enclave attestation (KindSEVSNP,
KindTDX, KindSGX, or KindNitro) before a signing key share is released
into an enclave. The composite hash is the audit root the release decision is
logged against.
Confidential AI — proof of AI
The confidential-AI control plane verifies a GPU attestation
(KindNVTrust) to prove an inference or training job ran on a genuine,
measured NVIDIA confidential-compute GPU with a known-good driver/VBIOS —
the hardware root under proof-of-AI.
Neither use case is wired into the permissionless consensus core. Consensus finality (see Consensus) is dealerless and PQ-threshold; TEE is an optional accelerator for custody, never a trust assumption in the open validator set.
Where It Sits
caller (KMS release gate · scheduler · AI trust-tier policy · indexer)
└── cc/attest.Dispatch(ctx, kind, evidence, opts...) ◄── luxfi/cc
│ (one registry — every Kind self-registers via init())
├── KindSEVSNP → google/go-sev-guest + AMD KDS (production)
├── KindTDX → google/go-tdx-guest + Intel PCS (production)
├── KindSGX → pure-Go DCAP + Intel SGX Root CA (production)
├── KindNVTrust→ attest/nvidia SPDM + RIM-match local (production)
│ attest/nvidia NRAS/EAT (remote) (production)
├── KindARMCCA → veraison/go-cose + CBOR, CPAK→RAK (production)
└── KindNitro → COSE_Sign1 + AWS Nitro Root G1, PCR0 (production)Further Reading
- Architecture — the decomplected core + optional custody extensions
- Wallet Security — MPC custody and the TEE extension model
- MPC — CGGMP21 / FROST threshold custody
- Post-Quantum — why the consensus core needs no TEE