Attestation providers¶
Hardware attestation providers for Levels 1–3. See Tutorial: Hardware attestation for usage and mocking patterns.
Base types¶
Bases: ABC
Interface all providers implement.
abstractmethod ¶
Extend the manifest hash into the hardware measurement register.
abstractmethod ¶
Return the current platform attestation report.
abstractmethod ¶
Return True if the report contains the expected manifest hash.
RFC 8785 canonical JSON of manifest with attestation block excluded.
This is the exact byte sequence extended into the hardware register and recorded in manifest_hash_in_report (spec Section 3.3).
Return sha256:
dataclass ¶
Portable attestation report returned by all providers.
Bases: RuntimeError
Raised when the attestation hardware or daemon is not accessible.
Callers MUST NOT treat this as a silent success. An agent that cannot produce hardware attestation MUST NOT claim Level 1+ conformance.
Level 1 - TPM¶
Bases: AttestationProvider
TPM 2.0 attestation provider.
Supports generic TPM 2.0 (PCR 15) and AWS Nitro Enclaves (PCR 8). Uses tpm2-tools CLI for PCR extension and quote generation.
On AWS Nitro, the NSM device (/dev/nsm) is detected automatically and PCR 8 is used instead of the default PCR 15.
For CI environments without a hardware TPM, install swtpm and set TPM2TOOLS_TCTI=swtpm: or TPM2TOOLS_TCTI=device:/dev/tpm0.
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If tpm2-tools is not installed or the TPM device is not accessible. |
Extend the manifest hash into PCR self._pcr using tpm2_extend.
The extended value is the SHA-256 of the RFC 8785 canonical manifest (attestation block excluded). This ensures the PCR value is deterministically bound to the exact manifest that was approved.
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If tpm2_extend fails. |
Read current PCR values and generate a TPM2 quote.
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If tpm2_pcrread or tpm2_quote fails. |
Check that the PCR in the report contains the expected manifest hash.
The expected value is the cumulative PCR extension value after the manifest hash was extended. For a PCR starting at 0x00..00: new_pcr = SHA-256(current_pcr_value || manifest_hash_bytes)
For simplicity, the SDK checks that the report's manifest_hash matches the hash we would compute from the manifest. A full PCR replay verification requires the pre-extension PCR value, which callers must supply for production use.
Level 2 - SEV-SNP and TDX¶
Bases: AttestationProvider
AMD SEV-SNP attestation via /dev/sev-guest (Linux kernel 5.19+).
Extends the manifest hash into HOST_DATA (64 bytes) of the SNP attestation report. The first 32 bytes of HOST_DATA carry the SHA-256 of the manifest pre-image; the remaining 32 bytes are zero-padded.
Requirements
- AMD EPYC (Milan or later) with SEV-SNP enabled in BIOS
- Linux kernel 5.19+ with CONFIG_AMD_MEM_ENCRYPT=y
- Running inside an SEV-SNP VM (Azure DCasv5, AWS C6a Nitro, GCP N2D)
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If /dev/sev-guest is not accessible. |
Request an SNP attestation report with HOST_DATA = sha256(pre_image) || 0x00*32.
Bases: AttestationProvider
Intel TDX attestation via /dev/tdx-guest (Linux kernel 6.2+).
Extends the manifest hash into RTMR[1] using TDG.MR.RTMR.EXTEND. RTMR[1] is conventionally used for OS-level and application-level measurements (RTMR[0] = TD-measured, RTMR[2-3] = available for SW).
Requirements
- Intel 4th Gen Xeon (Sapphire Rapids) or later with TDX enabled
- Linux kernel 6.2+ with TDX guest driver
- Running inside an Intel TDX Trust Domain (Azure DCedsv5, GCP C3)
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If /dev/tdx-guest is not accessible. |
Obtain a TD report with reportdata = sha256(pre_image) || 0x00*32.
Level 3 - OPAQUE¶
Bases: AttestationProvider
OPAQUE managed runtime attestation.
Delegates to the OPAQUE attestation service running in a managed TEE at OPAQUE_ATTESTATION_URL. The service: 1. Accepts the manifest pre-image 2. Measures it in silicon (AMD SEV-SNP or Intel TDX, depending on region) 3. Returns a TRACE claim with hardware-signed audit_chain_root
The signing key never leaves the TEE — this is the highest assurance level.
Environment variables
OPAQUE_ATTESTATION_URL: Base URL of the OPAQUE attestation service OPAQUE_API_KEY: API key for the service (or use mTLS)
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If the service is not reachable. |
Send manifest pre-image to OPAQUE attestation service.
Auto-provider¶
Return the best available attestation provider for level.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
level | int | Minimum conformance level required (0-3). | 0 |
Raises:
| Type | Description |
|---|---|
AttestationUnavailableError | If level > 0 and no hardware provider is available. |
Bases: AttestationProvider
Level 0 software-only fallback — no hardware attestation.
Produces a manifest hash using pure software SHA-256. Suitable for development and staging. MUST NOT be used for Level 1+ conformance.