This repository contains smart contracts for onchain verification and management of Confidential VM (CVM) workloads hosted on cloud service providers. It consists of two main components:
- TEE Workload Measurement - Verifies the integrity and measurement of CVM workloads
- CVM Registry - Manages CVM identities and their attestation lifecycle
Confidential VMs (CVMs) leverage Trusted Execution Environment (TEE) hardware—such as Intel TDX and AMD SEV-SNP—to protect code and data from tampering by the host OS and other VMs. Cloud service providers equip CVMs with virtual Trusted Platform Modules (TPMs) that cryptographically measure and attest to the integrity of the boot process and running workload.
This project currently supports CVMs with Intel TDX or AMD SEV-SNP on Azure and Google Cloud Platform (GCP), with full onchain verification implemented in Solidity for EVM networks.
Our goal is platform-agnostic coverage, and we are actively working to support additional TEE technologies, cloud providers, and Web3 ecosystems.
The Workload Verifier contract provides cryptographic verification of CVM workload integrity by combining TEE attestation with TPM-based boot measurements. It ensures that code running in a CVM has not been tampered with and is executing on genuine TEE hardware.
Key Features:
- Verifies TEE attestation reports from Intel TDX and AMD SEV-SNP
- Validates TPM quotes and PCR measurements
- Ensures binding between TEE and TPM components
- Generates canonical measurement hashes (Golden Measurements)
- Multiple verification methods: onchain Solidity, ZK proofs (RiscZero, SP1)
Use Cases:
- Prove workload integrity before granting access to sensitive data
The CVM Registry provides identity and lifecycle management for CVM workloads. It maps a CVM's identity to its attestation configuration, system and workload measurement hash, and freshness metadata.
Key Features:
- CVM Identity management for using CVM public key
- Attested CVM identity lifecycle tracking (registration, re-attestation, TTL management)
- Freshness enforcement via configurable TTL windows
- Identity rotation with attestation-based proof
- Replay protection using per-identity nonces
- Domain separation for secure message signing
Key Capabilities:
- Registration: Bootstrap CVM identity using attestation
- Re-attestation: Refresh TPM collateral while reusing TEE attestation, optionally update CVM identity
- TTL Management: Configure custom freshness windows for TEE and TPM
- Key Rotation: Securely rotate identity keys with attestation proof
Use Cases:
- Gate onchain actions based on verified CVM identity and liveness
- Track CVM workload states across their lifecycle
- Enable CVMs to sign authorized messages for downstream applications
- Implement access control based on CVM identity freshness
We are continuously improving the CVM Registry to enhance security, usability, and functionality. The following features are under consideration:
Security Enhancements:
- Revocation Mechanism - Add explicit onchain CVM identity revocation before TTL expiry
- TTL Bounds - Enforce minimum and maximum TTL ranges to prevent configuration errors
- Registration Validation - Prevent silent parameter mismatches during re-registration attempts
Protocol Extensions:
- Multi-TEE Aggregation - Support workloads spanning multiple enclaves for distributed systems
- Attestation Versioning - Track historical measurement hashes for comprehensive audit trails
- Slashing / Economic Bonding - Enable penalties for stale or revoked identities in economic protocols
- Cached Proof Compression - Gas-optimized re-use of previously verified certificate chains
Developer Experience:
- Enhanced Events - Add dedicated
CVMIdentityRotatedevent to distinguish rotation from re-attestation - Flexible Verifier Updates - Design migration path for upgrading immutable verifier contracts
For detailed technical analysis and resolved issues, see here.
To get started with integrating these contracts into your project:
- Developer Guide - Comprehensive technical documentation covering architecture, workflows, and API references
- Integration Guide - Step-by-step instructions for integrating the Workload Verifier and CVM Registry contracts into your Solidity project
| Network | Contract Address |
|---|---|
| Automata Testnet | 0xDb99cc64cb856EB388DAca7B89aee9e844f63aFd |
| Sepolia Testnet | 0xa6DF41BCe5cA0352042E5a53f33c9C9226AD2119 |
| Network | Contract Address |
|---|---|
| Automata Testnet | 0x262eAcF7DC665a6dc416AdDB45a4dB5F1e79aF38 |
| Sepolia Testnet | 0xE626f5503B455F775AA9845843B46033a26A635d |
- DCAP Attestation - On-chain verification of Intel SGX/TDX DCAP attestations
- TDX Attestation SDK - TDX Development SDK to generate Intel TDX quotes from cloud providers.
- AMD SEV-SNP Attestation SDK - On-chain verification of AMD SEV-SNP attestations
- AWS Nitro Enclave Attestation - On-chain verification of AWS Nitro Enclave attestations
- TPM Attestation - On-chain verification of TPM Quote and TPM certificates management
- CVM Base Image - Tools for deploying Confidential VMs with workloads on GCP, AWS, and Azure
Contributions are welcome! Please ensure all tests pass and follow the existing code style.
For questions and support, please open an issue.