cvm-attest 1.0.0

Attestation toolkit for Intel TDX and AMD SEV-SNP confidential VMs

cvm-attest — Confidential VM Attestation Toolkit

A Python toolkit for attesting Intel TDX and AMD SEV-SNP confidential virtual machines. Auto-detects the TEE type, collects hardware-signed attestation evidence, and verifies the cryptographic signature chain back to the CPU vendor's root of trust.

How it works

Confidential VMs run inside hardware-isolated Trusted Execution Environments (TEEs). The CPU produces cryptographically signed attestation reports that prove the VM's firmware, configuration, and boot chain are authentic and untampered.

Intel TDX — The TDX module produces a TD Quote signed by an Intel-provisioned attestation key. The quote contains measurements (MRTD, RTMRs) of the TD's firmware, kernel, and configuration. Verification uses Intel's Provisioning Certification Service (PCS).

AMD SEV-SNP — The AMD Secure Processor produces an attestation report signed by a chip-unique VCEK key (or cloud-provider VLEK). The report contains a launch measurement and guest policy. Verification uses AMD's Key Distribution Service (KDS).

Installation

# With signature verification (recommended):
pip install "cvm-attest[full]"

# Minimal (parse reports, no crypto verification):
pip install cvm-attest

Requirements

• Python 3.10+
• Linux kernel 5.19+ (for legacy device files) or 6.7+ (for configfs-tsm)
• Running inside an Intel TDX or AMD SEV-SNP confidential VM
• Root access (required for accessing TEE device files)

Quick start

Command line

# Auto-detect TEE and attest (requires root):
sudo cvm-attest

# Force a specific TEE type:
sudo cvm-attest --tee tdx
sudo cvm-attest --tee snp

# Show full measurement details:
sudo cvm-attest --verbose --show-report

# Save results as JSON:
sudo cvm-attest --output result.json

# Provide a specific nonce:
sudo cvm-attest --nonce $(openssl rand -hex 64)

# Offline mode (skip certificate fetching):
sudo cvm-attest --no-fetch-certs

Python API

from cvm_attest import attest_vm, detect_tee

# Auto-detect and attest
result = attest_vm()
print(f"TEE: {result.tee_type.value}")
print(f"Status: {result.status.value}")
print(f"Signature valid: {result.report_signature_valid}")

# Access parsed measurements
if result.tee_type.value == "tdx":
    mrtd = result.parsed_report["body"]["mrtd"]
    print(f"MRTD: {mrtd}")
elif result.tee_type.value == "snp":
    measurement = result.parsed_report["measurement"]
    print(f"Measurement: {measurement}")

# Just detect the TEE without attesting
tee_info = detect_tee()
print(f"Running in: {tee_info.tee_type.value}")
print(f"CPU: {tee_info.cpu_model}")

CLI reference

Option	Description
--tee {tdx,snp,auto}	TEE type. Default: auto-detect
--nonce HEX	Hex-encoded nonce (up to 64 bytes) for the report
--output FILE	Write full JSON result to FILE
--no-fetch-certs	Skip certificate fetching (offline mode)
--show-report	Print full parsed attestation report
--verbose, -v	Enable DEBUG logging

How TEE detection works

The tool checks for TEE presence in this order:

1. Device files — /dev/tdx_guest (TDX) or /dev/sev-guest (SNP)
2. CPU flags — tdx_guest flag for TDX; sev, sev_es, sev_snp for SNP
3. Kernel modules — checks /proc/modules for sev_guest
4. configfs-tsm — unified interface at /sys/kernel/config/tsm/report/ (kernel 6.7+)

Evidence collection

Two interfaces are supported for both TEE types:

configfs-tsm (kernel 6.7+) — The preferred, unified interface. Creates a temporary entry under /sys/kernel/config/tsm/report/, writes the nonce to inblob, reads the signed report from outblob, and optionally reads certificates from auxblob.

Legacy device ioctl — Falls back to ioctl() on /dev/tdx_guest (TDX) or /dev/sev-guest (SNP) for older kernels.

Verification

Intel TDX — Parses the TD Quote v4 structure, extracts the ECDSA-P256 signature, and verifies it against the attestation key embedded in the quote. For full certificate chain verification, Intel recommends using Intel Trust Authority or Intel DCAP QVL.

AMD SEV-SNP — Parses the 1184-byte attestation report, fetches the chip-specific VCEK certificate and ARK/ASK chain from AMD KDS, and verifies the ECDSA-P384 signature. The full chain (VCEK → ASK → ARK) is validated.

Package structure

cvm_attest/
├── __init__.py         # Public API
├── __main__.py         # python -m cvm_attest
├── cli.py              # Argument parsing, summary output
├── detect.py           # Auto-detect TDX vs SEV-SNP
├── models.py           # TeeType, AttestationEvidence, AttestationResult
├── orchestrator.py     # attest_vm() — ties everything together
├── tdx/
│   ├── evidence.py     # Collect TD Quote (configfs-tsm + ioctl)
│   ├── quote.py        # Parse TD Quote v4 binary format
│   └── verify.py       # Verify quote signature
└── snp/
    ├── evidence.py     # Collect SNP report (configfs-tsm + ioctl)
    ├── report.py       # Parse 1184-byte SNP report
    └── verify.py       # Verify signature via AMD KDS certs

JSON output format

{
  "tool": "cvm-attest",
  "version": "1.0.0",
  "timestamp": "2026-04-09T12:00:00Z",
  "result": {
    "tee_type": "snp",
    "status": "PASS",
    "report_signature_valid": true,
    "cert_chain_valid": true,
    "parsed_report": {
      "version": 2,
      "vmpl": 0,
      "measurement": "abc123...",
      "policy": { "debug_allowed": false, ... },
      ...
    },
    "errors": [],
    "warnings": []
  }
}

Companion tool

For GPU attestation (NVIDIA H100/H200/Blackwell), see cgpu-attest.

License

MIT — see LICENSE.