{"id":47685694,"url":"https://github.com/lunal-dev/attestation-rs","last_synced_at":"2026-04-02T14:49:11.233Z","repository":{"id":299900093,"uuid":"998123791","full_name":"lunal-dev/attestation-rs","owner":"lunal-dev","description":"A rust attestation generation and verification library for TEEs ","archived":false,"fork":false,"pushed_at":"2026-03-25T19:37:29.000Z","size":562,"stargazers_count":13,"open_issues_count":2,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-26T19:46:51.357Z","etag":null,"topics":["confidential-compute","confidential-computing","rust","tee"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lunal-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-07T23:03:26.000Z","updated_at":"2026-03-25T19:34:41.000Z","dependencies_parsed_at":"2026-02-18T06:06:17.833Z","dependency_job_id":null,"html_url":"https://github.com/lunal-dev/attestation-rs","commit_stats":null,"previous_names":["lunal-dot-dev/attestation-rs","lunal-dev/attestation-rs"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/lunal-dev/attestation-rs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lunal-dev%2Fattestation-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lunal-dev%2Fattestation-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lunal-dev%2Fattestation-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lunal-dev%2Fattestation-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lunal-dev","download_url":"https://codeload.github.com/lunal-dev/attestation-rs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lunal-dev%2Fattestation-rs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31308446,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["confidential-compute","confidential-computing","rust","tee"],"created_at":"2026-04-02T14:49:10.333Z","updated_at":"2026-04-02T14:49:11.220Z","avatar_url":"https://github.com/lunal-dev.png","language":"Rust","readme":"# Attestation\n\n[![CI](https://github.com/lunal-dot-dev/attestation-rs/actions/workflows/ci.yml/badge.svg)](https://github.com/lunal-dot-dev/attestation-rs/actions/workflows/ci.yml)\n\nA Rust library providing a unified interface for TEE (Trusted Execution Environment) attestation evidence generation and verification.\n\n## Supported Platforms\n\n| Platform                 | Attest | Verify | WASM Verify |\n| ------------------------ | ------ | ------ | ----------- |\n| AMD SEV-SNP (bare-metal) | Yes    | Yes    | Yes         |\n| Intel TDX (bare-metal)   | Yes    | Yes    | Yes         |\n| Azure SEV-SNP (vTPM)     | Yes    | Yes    | Yes         |\n| Azure TDX (vTPM)         | Yes    | Yes    | Yes         |\n\n## Feature Flags\n\n```toml\n[dependencies]\nattestation = { path = \".\", features = [\"snp\", \"tdx\"] }\n```\n\n| Feature  | Description                                                               |\n| -------- | ------------------------------------------------------------------------- |\n| `snp`    | AMD SEV-SNP support (verify always, attest when `attest` also enabled)    |\n| `tdx`    | Intel TDX support                                                         |\n| `az-snp` | Azure SEV-SNP vTPM support (implies `snp`)                                |\n| `az-tdx` | Azure TDX vTPM support (implies `tdx`)                                    |\n| `attest` | Enable guest-side evidence generation (Linux-only, requires TEE hardware) |\n| `cli`    | Build the `attestation-cli` binary                                        |\n\nAll four platform features are enabled by default. Verification is always compiled when a platform feature is enabled. The `attest` feature gates all guest-side code that requires hardware access.\n\n## Usage\n\n### Verifier (Server-Side or WASM)\n\n```rust\nuse attestation::{VerifyParams, VerificationResult};\n\n#[tokio::main]\nasync fn main() {\n    // evidence_json is a self-describing AttestationEvidence envelope\n    let evidence_json: \u0026[u8] = b\"...\";\n\n    let params = VerifyParams {\n        expected_report_data: Some(vec![0xAA; 64]),\n        ..Default::default()\n    };\n\n    let result = attestation::verify(evidence_json, \u0026params).await.unwrap();\n\n    println!(\"Signature valid: {}\", result.signature_valid);\n    println!(\"Platform: {}\", result.platform);\n    println!(\"Launch digest: {}\", result.claims.launch_digest);\n    println!(\"Report data match: {:?}\", result.report_data_match);\n}\n```\n\n### Verifier with Custom Providers\n\n```rust\nuse attestation::{Verifier, VerifyParams};\n\n#[tokio::main]\nasync fn main() {\n    let verifier = Verifier::new();\n    // Or with custom cert/collateral providers:\n    // let verifier = Verifier::new()\n    //     .with_cert_provider(my_cert_provider)\n    //     .with_tdx_provider(my_tdx_provider);\n\n    let result = verifier\n        .verify(evidence_json, \u0026VerifyParams::default())\n        .await\n        .unwrap();\n}\n```\n\n### Attester (Guest-Side Agent)\n\n```rust\n#[tokio::main]\nasync fn main() {\n    // Auto-detect the TEE platform\n    let platform = attestation::detect().expect(\"no TEE platform detected\");\n    println!(\"Detected platform: {}\", platform);\n\n    // Generate evidence with a challenge nonce\n    let nonce = b\"server-provided-challenge-nonce\";\n    let evidence_json = attestation::attest(platform, nonce).await.unwrap();\n\n    // Send evidence_json to the verifier — it's a self-describing envelope\n    println!(\"Evidence: {} bytes\", evidence_json.len());\n}\n```\n\n## Examples\n\nEach platform has a dedicated example. Run on the appropriate hardware:\n\n```bash\ncargo run --example snp    --features \"snp,attest\"\ncargo run --example tdx    --features \"tdx,attest\"\ncargo run --example az_snp --features \"az-snp,attest\"\ncargo run --example az_tdx --features \"az-tdx,attest\"\n```\n\nAzure examples accept an optional nonce argument:\n\n```bash\ncargo run --example az_snp --features \"az-snp,attest\" -- \"my-custom-nonce\"\n```\n\n## CLI\n\nA CLI binary is available for attestation and verification from the command line:\n\n```bash\n# Build the CLI\ncargo build --release --features cli\n\n# Generate evidence (on TEE hardware, Linux only)\ncargo build --release --features \"cli,attest\"\n./target/release/attestation-cli attest --report-data \"my-nonce\"\n\n# Verify evidence (works anywhere)\necho \"$EVIDENCE\" | ./target/release/attestation-cli verify\n```\n\n## Evidence JSON Schemas\n\n### SNP Evidence\n\n```json\n{\n  \"attestation_report\": \"\u003cbase64-encoded 1184-byte SNP report\u003e\",\n  \"cert_chain\": {\n    \"vcek\": \"\u003cbase64-encoded DER certificate\u003e\",\n    \"ask\": \"\u003cbase64-encoded DER certificate, optional\u003e\",\n    \"ark\": \"\u003cbase64-encoded DER certificate, optional\u003e\"\n  }\n}\n```\n\n### TDX Evidence\n\n```json\n{\n  \"quote\": \"\u003cbase64-encoded TDX quote bytes\u003e\",\n  \"cc_eventlog\": \"\u003cbase64-encoded CCEL eventlog, optional\u003e\"\n}\n```\n\n### Azure SNP Evidence\n\n```json\n{\n  \"version\": 1,\n  \"tpm_quote\": {\n    \"signature\": \"\u003chex-encoded RSA signature\u003e\",\n    \"message\": \"\u003chex-encoded TPMS_ATTEST\u003e\",\n    \"pcrs\": [\"\u003chex-encoded 32-byte PCR value\u003e\", \"...(24 entries)\"]\n  },\n  \"hcl_report\": \"\u003curl-safe-base64-encoded HCL report (2600 bytes)\u003e\",\n  \"vcek\": \"\u003curl-safe-base64-encoded DER certificate\u003e\"\n}\n```\n\n### Azure TDX Evidence\n\n```json\n{\n  \"version\": 1,\n  \"tpm_quote\": {\n    \"signature\": \"\u003chex-encoded RSA signature\u003e\",\n    \"message\": \"\u003chex-encoded TPMS_ATTEST\u003e\",\n    \"pcrs\": [\"\u003chex-encoded 32-byte PCR value\u003e\", \"...(24 entries)\"]\n  },\n  \"hcl_report\": \"\u003curl-safe-base64-encoded HCL report (2600 bytes)\u003e\",\n  \"td_quote\": \"\u003curl-safe-base64-encoded TD quote\u003e\"\n}\n```\n\n### Verification Result\n\n```json\n{\n  \"signature_valid\": true,\n  \"platform\": \"snp\",\n  \"claims\": {\n    \"launch_digest\": \"\u003c96-char hex string (48 bytes)\u003e\",\n    \"report_data\": \"\u003c128-char hex string (64 bytes)\u003e\",\n    \"signed_data\": \"\u003chex-encoded bytes\u003e\",\n    \"init_data\": \"\u003chex-encoded bytes\u003e\",\n    \"tcb\": {\n      \"type\": \"Snp\",\n      \"bootloader\": 3,\n      \"tee\": 0,\n      \"snp\": 8,\n      \"microcode\": 115\n    },\n    \"platform_data\": {\n      \"policy\": { \"abi_major\": 0, \"debug_allowed\": false, \"...\" : \"...\" },\n      \"vmpl\": 0,\n      \"chip_id\": \"\u003c128-char hex\u003e\"\n    }\n  },\n  \"report_data_match\": true,\n  \"init_data_match\": null\n}\n```\n\n## Running Tests\n\n```bash\n# Unit tests (no hardware needed)\ncargo test --features snp\ncargo test --features tdx\ncargo test --features az-snp\ncargo test --features az-tdx\n\n# Integration tests on Azure SNP CVM\ncargo test --test az_snp_live --features \"az-snp,attest\" -- --ignored\n\n# Integration tests on Azure TDX CVM\ncargo test --test az_tdx_live --features \"az-tdx,attest\" -- --ignored\n\n# Benchmarks\ncargo bench --features snp\ncargo bench --features tdx\ncargo bench --features az-snp\ncargo bench --features az-tdx\n```\n\n## WASM Support\n\nThe library compiles to `wasm32-unknown-unknown` for verifier-only use:\n\n```bash\ncargo check --target wasm32-unknown-unknown --no-default-features --features snp,tdx,az-snp,az-tdx\n```\n\nThe `attest` feature is automatically excluded on WASM. All verification uses pure-Rust crypto (no OpenSSL dependency).\n\n## Bundled Certificates\n\nAMD root certificates (ARK + ASK) for Milan, Genoa, and Turin processors are embedded at compile time. Per-chip VCEK certificates are fetched on demand from AMD KDS or Azure IMDS.\n\n## License\n\nApache-2.0\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flunal-dev%2Fattestation-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flunal-dev%2Fattestation-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flunal-dev%2Fattestation-rs/lists"}