Skip to content

Attestation Pipeline

The attested flow emits evidence that binds the transformed output to a session. This documentation describes the public evidence format and verification logic only. Private runtime interfaces are intentionally omitted.

flowchart LR
  input[RawLocalData] --> tee[AttestedExecution]
  tee --> output[TransformedContext]
  tee --> evidence[AttestationEvidence]
  evidence --> verifier[AttestationVerifier]
  verifier --> verdict[VerificationVerdict]

Evidence binding

report_data = SHA-256(session_id || config_hash || output_hash || timestamp)

The verifier recomputes this binding and compares it to the report.

Verification claims (summary)

  • Report structure validity
  • Code identity measurement match
  • Output binding correctness
  • Timestamp freshness
  • Platform authentication (simulator produces warnings)

Evidence fields (public)

  • measurement: enclave code identity
  • report: raw attestation report
  • configHash: binds configuration
  • outputHash: binds output
  • timestamp: freshness

Prev: Developer Architecture | Next: Testing