dk-tee-attestation 0.4.0

TEE attestation library for AMD SEV-SNP and Intel TDX platforms

FHEnom TEE Attestation Library

A Python library for generating and verifying TEE (Trusted Execution Environment) attestation reports across different hardware platforms.

Features

• Multi-Platform Support: AMD SEV-SNP and Intel TDX
• Unified API: Single interface for all TEE platforms
• Cryptographic Verification: Full certificate chain validation
• Production Ready: Used in FHEnom AI confidential computing platform

Supported Platforms

• ✅ AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging)
• 🚧 Intel TDX (Trust Domain Extensions) - Coming soon

Basic Installation (Python API only)

pip install dk-tee-attestation

Quick Start

Generate an Attestation Report (Inside TEE)

from dk_tee_attestation import AttestationEngineFactory, AttestationEngineType

# Create AMD SEV-SNP engine
engine = AttestationEngineFactory.get(AttestationEngineType.AMD_SEV_SNP)

# Generate report with nonce (must be 64 bytes)
nonce = b"your_nonce_here" + b"\x00" * (64 - len(b"your_nonce_here"))
report_bytes = engine.get_report(nonce)

# Save for verification
with open("attestation_report.bin", "wb") as f:
    f.write(report_bytes)

Verify an Attestation Report (Verifier Side)

from dk_tee_attestation import AttestationEngineFactory, AttestationEngineType

# Create engine
engine = AttestationEngineFactory.get(AttestationEngineType.AMD_SEV_SNP)

# Load report
with open("attestation_report.bin", "rb") as f:
    report_bytes = f.read()

# Verify (raises exception on failure)
nonce = b"your_nonce_here" + b"\x00" * (64 - len(b"your_nonce_here"))
try:
    engine.verify_report(report_bytes, nonce)
    print("✓ Attestation verified successfully!")
except Exception as e:
    print(f"✗ Verification failed: {e}")

API Reference

AttestationEngine

Base interface for TEE attestation engines.

---

get_report(report_data: bytes) -> bytes

Generate a TEE attestation report.

Parameters

• report_data (bytes): Nonce / challenge. Must be exactly 64 bytes.

Returns

• bytes: Raw attestation report.

Raises

• AttestationError: If report generation fails.

---

verify_report(report_bytes: bytes, expected_report_data: bytes) -> None

Verify a TEE attestation report.

Parameters

• report_bytes (bytes): Raw attestation report to verify.
• expected_report_data (bytes): Expected nonce. Must be exactly 64 bytes.

Returns

• None: Verification succeeded.

Raises

• AttestationError: If verification fails.

Verification Process

AMD SEV-SNP Verification Steps

1. Parse Report: Extract structured data from raw bytes
2. Validate Nonce: Ensure nonce matches expected value
3. Fetch Certificates: Retrieve ARK, ASK, and VCEK from AMD KDS
4. Verify Chain: Validate certificate chain signatures
5. Check Metadata: Ensure TCB and hardware ID match
6. Verify Signature: Validate report signature with VCEK

INTEL-TDX Verification Steps

🚧 - Coming soon

Platform-Specific Notes

AMD SEV-SNP

• Requires access to /dev/sev-guest device for report generation
• Fetches certificates from AMD Key Distribution Service (KDS)
• Supports Milan, Genoa, and Turin processor families

Intel TDX

• 🚧 Coming soon

Integration with FHEnom AI

This library is integrated into the FHEnom AI SDK:

# Install FHEnom AI with attestation support
pip install fhenomai

# Use via FHEnom AI client
from fhenomai import FHEnomClient

client = FHEnomClient.from_config()
result = client.admin.verify_attestation(report_bytes, nonce_hex)

Requirements

• Python >= 3.8
• cryptography >= 46.0.0
• requests >= 2.32.0

Use Cases

• Remote Attestation: Prove code runs in genuine TEE
• Zero-Trust Security: Establish trust before sensitive operations
• Compliance: Demonstrate hardware-backed security
• Confidential Computing: Verify encrypted model execution

License

TBD