This repository was archived by the owner on Feb 26, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
Add Proxy-Based Attestation and aTLS Overview #31
Open
FilipCivljak
wants to merge
5
commits into
main
Choose a base branch
from
docs/attestation-proxy
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,73 +1,83 @@ | ||
| --- | ||
| id: attestation | ||
| title: Attestation | ||
| sidebar_position: 4 | ||
| --- | ||
| # Attestation Overview | ||
|
|
||
| Attestation is a security mechanism that allows a client to **verify the identity and integrity of a remote system before sending sensitive data**. | ||
|
|
||
| ## Attestation | ||
| In the context of confidential computing, attestation provides cryptographic proof that an application is running: | ||
|
|
||
| Attestation is a security process used to verify that a system is running trusted software inside a trusted environment. | ||
| In Cube AI, attestation ensures that the confidential computing environment (CVM) has not been tampered with before Cube AI services start running. | ||
| * Inside a **Trusted Execution Environment (TEE)** | ||
| * With **expected software and configuration** | ||
| * Without interference from the host operating system, hypervisor, or cloud provider | ||
|
|
||
| Cube AI performs attestation both **internally** during the boot sequence of the confidential virtual machine (CVM) and via a **user-facing endpoint** that allows clients to verify trust guarantees. | ||
| Attestation is a foundational building block for **zero-trust architectures**, where trust is never assumed and must always be verified. | ||
|
|
||
| For Cube AI, attestation ensures that sensitive prompts, embeddings, and responses are processed only by trusted and verified AI services. | ||
|
|
||
| --- | ||
|
|
||
| ## How Cube AI Uses Attestation Today | ||
| ## Attestation and Attested TLS (aTLS) | ||
|
|
||
| To allow clients to send confidential data to Cube AI securely, a secure channel based on **Attested TLS (aTLS)** is established. | ||
|
|
||
| aTLS is a standard TLS connection augmented with a **hardware-backed attestation report** proving that the remote service is running inside a **Trusted Execution Environment (TEE)**. | ||
|
|
||
| Cube AI runs inside **hardware-backed Confidential Virtual Machines (CVMs)** based on **AMD SEV-SNP and Intel TDX**. | ||
| In Cube AI, the agent service running inside the TEE acts as the TLS server and extends its X.509 certificate with an attestation report generated by the underlying TEE (e.g. AMD SEV-SNP). | ||
|
|
||
| These confidential computing technologies provide: | ||
| When generating the attestation report, the service embeds the **hash of its ephemeral public key** into the `report_data` field of the attestation report. | ||
|
|
||
| - Full memory encryption | ||
| - Protection from a malicious hypervisor or cloud provider | ||
| - Integrity verification of the VM state | ||
| - Hardware-enforced measurement of what software boots inside the VM | ||
| A new TLS certificate and a fresh attestation report are generated for every connection, ensuring cryptographic freshness and preventing replay attacks. | ||
|
|
||
| During startup: | ||
| This provides cryptographic proof that the client is communicating directly with the Cube AI service running inside a TEE, and not with the host system or any intermediary. | ||
|
|
||
| 1. The CVM performs **hardware attestation** using platform-specific attestation mechanisms (**AMD SEV-SNP or Intel TDX**). | ||
| 2. Measurements are validated internally before Cube AI components start. | ||
| 3. If the environment does not match expected measurements, the system refuses to start. | ||
| --- | ||
|
|
||
| ## Proxy-Based Attestation | ||
|
|
||
| Unlike systems where users must manually perform attestation using a CLI tool, Cube AI automates the attestation process through a **proxy component deployed in the Cube AI infrastructure**. | ||
|
|
||
| Because this attestation happens before any workloads run, Cube AI ensures that: | ||
| The Cube AI Proxy: | ||
|
|
||
| - The AI backend (Ollama or vLLM) is running on trusted code | ||
| - The proxy and API services are verified | ||
| - Sensitive data and model prompts are protected from host-level access | ||
| * Forwards client connections to Cube AI services secured with **aTLS** | ||
| * Fetches and exposes attestation evidence associated with the aTLS-secured service endpoint | ||
| * Ensures that the TLS key is cryptographically bound to the attested TEE | ||
| * Provides auditability through structured logs and attestation records | ||
| * Transparently forwards client requests and responses | ||
|
|
||
| From the user's perspective, the client application communicates with Cube AI services over **standard HTTPS**. | ||
| Attestation evidence can be retrieved directly through the proxy, while aTLS verification results are recorded in structured audit logs, without requiring any client-side deployment or manual verification steps. | ||
|
|
||
| --- | ||
|
|
||
| ## Why Attestation Matters | ||
| ## Attestation Policy Verification | ||
|
|
||
| The Local Proxy enforces an **attestation policy** that defines the expected properties of the TEE. | ||
|
|
||
| Confidential Computing provides strong isolation, but attestation ensures: | ||
| This policy includes: | ||
|
|
||
| - The VM truly has confidential computing protections enabled | ||
| - The system hasn’t been modified by the cloud provider | ||
| - No unauthorized code is executed inside the confidential environment | ||
| - All model prompts and responses remain protected even from the host | ||
| * Reference values for fields in the attestation report | ||
| * Expected measurements identifying the Cube AI service running inside the TEE | ||
| * Verification that the TLS key is bound to the attested enclave | ||
|
|
||
| This is essential for: | ||
|  | ||
|
|
||
| - Enterprise deployments | ||
| - Regulated industries (healthcare, finance, defense, R&D) | ||
| - Zero-trust security architectures | ||
| - Protecting sensitive AI inputs and outputs | ||
| Only if the attestation report satisfies the policy will the Proxy establish and maintain the aTLS connection. | ||
|
|
||
| --- | ||
|
|
||
| ## User-Facing Attestation | ||
| ## aTLS Verification and Audit Logs | ||
|
|
||
| Each successful aTLS handshake is recorded by the Cube AI Proxy in structured audit logs. | ||
| These audit log entries provide verifiable evidence that the connection was established with a TEE-backed Cube AI service and that attestation policy verification succeeded. | ||
|
|
||
| Cube AI exposes a user-facing attestation endpoint that allows applications | ||
| to verify that they are interacting with a trusted Cube AI instance. | ||
|  | ||
|
|
||
| ### 🔹 Attestation Endpoint | ||
| Through these logs, users can audit completed aTLS handshakes and verify that no connections were established without successful attestation. | ||
|
|
||
| Applications can request an attestation report using: | ||
| ## Security Guarantees | ||
|
|
||
| ```bash | ||
| POST /attestation | ||
| ``` | ||
| This design ensures that: | ||
|
|
||
| The returned attestation data can be validated by the client to ensure that the | ||
| Cube AI instance is running inside a trusted confidential computing environment. | ||
| * Plaintext input is visible only inside the TEE | ||
| * Sensitive data and AI workloads are processed exclusively within the enclave | ||
| * The host OS, hypervisor, and cloud provider cannot access user data | ||
| * No manual attestation steps are required from users | ||
| * The client can trust the identity and integrity of the remote service | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
insert a sample attestation policy json file