Skip to content

README.md

Latest commit

 

History

History
209 lines (160 loc) · 4.11 KB

README.md

File metadata and controls

209 lines (160 loc) · 4.11 KB

verifiers

Verifiers for proofofcloud.org. A simple API backend to verify TEE attestation reports and query hardware IDs.

Features

  • Intel DCAP Support: Verify Intel TDX and SGX attestations (via Phala Cloud API)
  • Extensible Architecture: Easy to add AMD SEV-SNP and AWS Nitro Enclave verifiers
  • Simple API: Two straightforward endpoints for verification and hardware ID queries
  • TypeScript: Full type safety with Hono framework

Getting Started

Prerequisites

  • Node.js 18+ or Bun
  • npm or yarn

Installation

npm install

Development

npm run dev

The server will start on http://localhost:3000 with hot reload enabled.

Production

npm start

Testing

npm test

The test verifies Intel DCAP attestation using a real quote from tests/quote-no-poc.bin. It demonstrates:

  • Reading binary quote files and converting to hex
  • Calling the verification API
  • Parsing all returned fields (header, body, certificates, etc.)

API Endpoints

1. Verify Attestation

POST /attestations/verify

Verify a TEE attestation quote and check if it passes Proof-of-Cloud verification.

Request:

curl -X POST "http://localhost:3000/attestations/verify" \
  -H "Content-Type: application/json" \
  -d '{"type": "intel", "hex": "0x040002000..."}'

Request Body:

{
  "type": "intel",
  "hex": "0x040002000..."
}

Response (Success):

{
  "success": true,
  "quote": {
    "verified": true,
    "header": {
      "tee_type": "TEE_TDX"
    }
  },
  "proof_of_cloud": true
}

Response (Error):

{
  "success": false,
  "error": "verification_failed",
  "message": "Intel DCAP verification failed: ..."
}

Similarly, for AMD SEV-SNP you can do:

curl -X POST "http://localhost:3000/attestations/verify" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "amd",
    "hex": "0xdeadbeef..."
  }'

Response (Success):

{
  "success": true,
  "quote": {
    "verified": true,
    "header": {
      "tee_type": "TEE_AMD_SEV_SNP"
    }
  },
  "proof_of_cloud": true
}

2. Check Hardware ID

GET /hardware_id/:id

Query if a hardware ID is verified and accepted by Proof-of-Cloud.

Request:

curl "http://localhost:3000/hardware_id/abc123"

Response (Found):

{
  "success": true
}

Response (Not Found):

{
  "success": false,
  "error": "not_found",
  "message": "Hardware ID 'abc123' is not verified"
}

3. Health Check

GET /

Check service status and available endpoints.

Response:

{
  "name": "Proof-of-Cloud Verifiers",
  "version": "1.0.0",
  "status": "running",
  "endpoints": {
    "attestation_verify": "POST /attestations/verify",
    "hardware_check": "GET /hardware_id/:id"
  }
}

Architecture

Simple, flat structure - just ~130 lines of code:

src/
├── index.ts       # Main app (50 lines)
├── verifiers.ts   # Verification functions (53 lines)
├── hardware.ts    # Hardware registry (17 lines)
└── types.ts       # Type definitions (9 lines)

Supported TEE Vendors

Vendor Status Notes
Intel TDX/SGX ✅ Implemented Via Phala Cloud API
AMD SEV-SNP ✅ Implemented Via Nillion verifier
AWS Nitro 🚧 Stub Contributors welcome

Contributing

We welcome contributions to add support for additional TEE vendors!

Adding a New Verifier

Add a function to src/verifiers.ts that takes a string input and returns an AttestationResponse:

export async function verifyYourTee(input: string): Promise<AttestationResponse> {
  // Call your verification API or implement verification logic
  return {
    success: true,
    proof_of_cloud: true,
    quote: detaildQuoteData,
  };
}

Then update src/index.ts to call your verifier. You can add a type field to the request, auto-detect from hex format, or try verifiers sequentially. See the existing verifyIntelDcap() implementation for reference.

License

Apache 2.0