What is Attestation?

Attestation is a cryptographic proof that code executed inside a genuine Trusted Execution Environment (TEE). It provides verifiable evidence that: ✅ Your request ran in real TEE hardware (not simulated) ✅ The exact code that executed matches expected version ✅ No unauthorized modifications were made ✅ Hardware security features were active
Think of attestation as a “digital notary” - cryptographic proof that can be independently verified.

How Attestation Works

1. TEE Measurements

When code runs in TEE, the hardware measures:
  • Code hash - SHA-256 of the executable
  • Data hash - Initial state of memory
  • Platform configuration - CPU model, firmware version
  • Security attributes - TEE mode, encryption status

2. Cryptographic Signature

TEE hardware signs the measurements with a private key that:
  • Never leaves the TEE
  • Is unique to the TEE instance
  • Chains to the CPU vendor’s root certificate

3. Verification

You can verify the attestation independently:
  • Check signature validity
  • Verify certificate chain to Intel/AMD/NVIDIA
  • Compare code hash to expected value
  • Confirm hardware is genuine TEE

Getting Attestation Reports

For Phala Models

curl "https://api.redpill.ai/v1/attestation/report?model=phala/qwen-2.5-7b-instruct" \
  -H "Authorization: Bearer YOUR_API_KEY"
Response: 
{
  "model": "phala/qwen-2.5-7b-instruct",
  "attestation": {
    "type": "nvidia_h100_tee",
    "measurements": {
      "code_hash": "a7f3b2c1d4e5f6g7h8i9j0k1l2m3n4o5",
      "data_hash": "b8g4c3d2e5f6g7h8i9j0k1l2m3n4o5p6",
      "platform": "NVIDIA H100 80GB",
      "firmware": "v1.2.3"
    },
    "signature": {
      "algorithm": "ECDSA-P256",
      "value": "3045022100abcd...01ff",
      "cert_chain": ["-----BEGIN CERTIFICATE-----\n...", "..."]
    },
    "timestamp": "2025-01-15T10:30:00Z",
    "nonce": "randomly_generated_nonce"
  },
  "verified": true
}

For Gateway (All Models)

curl "https://api.redpill.ai/v1/attestation/report" \
  -H "Authorization: Bearer YOUR_API_KEY"
Returns attestation for the TEE-protected gateway itself.

Attestation Report Fields

FieldDescription
typeTEE technology (Intel SGX, AMD SEV, NVIDIA H100)
measurements.code_hashSHA-256 hash of executed code
measurements.data_hashHash of initial data/memory state
measurements.platformHardware identifier
measurements.firmwareTEE firmware version
signature.algorithmSignature algorithm (ECDSA, RSA)
signature.valueCryptographic signature
signature.cert_chainX.509 certificate chain
timestampWhen attestation was generated
nonceRandom value to prevent replay attacks
verifiedRedPill’s verification result

Verification Process

Automatic Verification

RedPill automatically verifies attestations and returns verified: true/false. However, for maximum security, you should verify independently.

Manual Verification Steps

1

Verify Certificate Chain

Ensure certificates chain to CPU vendor’s root:
from cryptography import x509
from cryptography.hazmat.backends import default_backend

def verify_cert_chain(cert_chain, root_cert):
    # Verify each certificate in chain
    for i in range(len(cert_chain) - 1):
        current = x509.load_pem_x509_certificate(
            cert_chain[i].encode(), default_backend()
        )
        issuer = x509.load_pem_x509_certificate(
            cert_chain[i+1].encode(), default_backend()
        )
        # Verify signature
        issuer.public_key().verify(
            current.signature,
            current.tbs_certificate_bytes,
            # ... padding and algorithm
        )
    return True
2

Check Signature

Verify the attestation signature:
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec

def verify_signature(data, signature, public_key):
    public_key.verify(
        signature,
        data,
        ec.ECDSA(hashes.SHA256())
    )
    return True
3

Verify Code Hash

Compare code hash to expected value:
EXPECTED_HASHES = {
    "phala/qwen-2.5-7b-instruct": "a7f3b2c1d4e5f6g7h8i9j0k1l2m3n4o5",
    "phala/deepseek-chat-v3-0324": "b8g4c3d2e5f6g7h8i9j0k1l2m3n4o5p6",
    # ... other models
}

def verify_code(model, code_hash):
    expected = EXPECTED_HASHES.get(model)
    return code_hash == expected
4

Check Timestamp

Verify attestation is recent:
from datetime import datetime, timedelta

def verify_freshness(timestamp, max_age_minutes=10):
    att_time = datetime.fromisoformat(timestamp)
    age = datetime.utcnow() - att_time
    return age < timedelta(minutes=max_age_minutes)

Code Example: Full Verification

import requests
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import hashes
from datetime import datetime, timedelta

class TEEAttestationVerifier:
    def __init__(self, api_key):
        self.api_key = api_key
        self.base_url = "https://api.redpill.ai/v1"

    def get_attestation(self, model):
        """Fetch attestation report for a model"""
        response = requests.get(
            f"{self.base_url}/attestation/report?model={model}",
            headers={"Authorization": f"Bearer {self.api_key}"}
        )
        return response.json()

    def verify_attestation(self, attestation):
        """Verify all aspects of attestation"""
        # 1. Verify certificate chain
        if not self._verify_cert_chain(attestation["signature"]["cert_chain"]):
            raise ValueError("Invalid certificate chain")

        # 2. Verify signature
        if not self._verify_signature(attestation):
            raise ValueError("Invalid signature")

        # 3. Verify code hash
        if not self._verify_code_hash(
            attestation["model"],
            attestation["measurements"]["code_hash"]
        ):
            raise ValueError("Code hash mismatch")

        # 4. Verify timestamp freshness
        if not self._verify_freshness(attestation["timestamp"]):
            raise ValueError("Attestation too old")

        return True

    def _verify_cert_chain(self, cert_chain):
        """Verify X.509 certificate chain"""
        # Implementation details...
        return True

    def _verify_signature(self, attestation):
        """Verify cryptographic signature"""
        # Implementation details...
        return True

    def _verify_code_hash(self, model, code_hash):
        """Verify code hash matches expected"""
        expected_hashes = {
            "phala/qwen-2.5-7b-instruct": "a7f3b2c1...",
            # Add other models
        }
        return code_hash == expected_hashes.get(model)

    def _verify_freshness(self, timestamp, max_age_minutes=10):
        """Verify attestation is recent"""
        att_time = datetime.fromisoformat(timestamp.replace('Z', '+00:00'))
        age = datetime.utcnow() - att_time.replace(tzinfo=None)
        return age < timedelta(minutes=max_age_minutes)

# Usage
verifier = TEEAttestationVerifier("YOUR_API_KEY")
attestation = verifier.get_attestation("phala/qwen-2.5-7b-instruct")

try:
    verifier.verify_attestation(attestation)
    print("✅ Attestation verified successfully!")
    print(f"Code running in genuine {attestation['attestation']['type']}")
except ValueError as e:
    print(f"❌ Attestation verification failed: {e}")

Expected Code Hashes

Current code hashes for Phala models (updated Jan 2025):
ModelCode Hash (SHA-256)
phala/deepseek-chat-v3-0324b8g4c3d2e5f6g7h8...
phala/gpt-oss-120bc9h5d4e3f6g7h8i9...
phala/gpt-oss-20bd0i6e5f4g7h8i9j0...
phala/qwen2.5-vl-72b-instructe1j7f6g5h8i9j0k1...
phala/qwen-2.5-7b-instructa7f3b2c1d4e5f6g7...
phala/gemma-3-27b-itf2k8g7h6i9j0k1l2...
Code hashes change when models are updated. Check the latest hashes via the API or GitHub.

TEE Technologies

NVIDIA H100 TEE (GPU)

Used for Phala confidential models:
  • Technology: NVIDIA Confidential Computing
  • Hardware: H100 80GB with TEE support
  • Attestation: GPU-based remote attestation
  • Performance: 99% of native speed

Intel SGX (CPU)

Used for gateway TEE:
  • Technology: Software Guard Extensions
  • Hardware: Intel Xeon Scalable (Ice Lake+)
  • Attestation: DCAP (Data Center Attestation Primitives)
  • Enclave Size: Up to 256GB

AMD SEV (CPU)

Alternative gateway TEE:
  • Technology: Secure Encrypted Virtualization
  • Hardware: AMD EPYC processors
  • Attestation: SEV-SNP attestation
  • Memory: Full VM memory encryption

Compliance & Auditing

Regulatory Use

Attestation reports can serve as compliance evidence:
  • HIPAA: Prove data processed in secure environment
  • GDPR: Demonstrate technical security measures
  • SOC 2: Provide audit trail of security controls
  • ISO 27001: Evidence of security implementation

Audit Trail

Maintain attestation records: 
def log_attestation(request_id, attestation):
    """Save attestation for compliance auditing"""
    audit_log = {
        "request_id": request_id,
        "timestamp": datetime.utcnow().isoformat(),
        "model": attestation["model"],
        "code_hash": attestation["measurements"]["code_hash"],
        "tee_type": attestation["attestation"]["type"],
        "verified": attestation["verified"]
    }
    # Save to secure audit log
    save_to_audit_log(audit_log)

Troubleshooting

Cause: Certificate chain doesn’t link to vendor rootSolution:
  • Ensure you have latest root certificates
  • Check certificate expiration dates
  • Verify network allows access to certificate CRLs
Cause: Model was updated or you have outdated expected hashSolution:
  • Check latest hashes on GitHub
  • Verify you’re using correct model version
  • Contact support if hash is unexpectedly different
Cause: Attestation report is staleSolution:
  • Request fresh attestation
  • Check system clock synchronization
  • Reduce max age parameter if needed
Cause: RedPill’s automatic verification failedSolution:
  • Check error details in response
  • Verify manually to understand issue
  • Contact support with request details

Best Practices

1

Always Verify Independently

Don’t rely solely on RedPill’s verified field. Implement your own verification.
2

Check Freshness

Reject attestations older than 10 minutes to prevent replay attacks.
3

Pin Expected Hashes

Hardcode expected code hashes in your application and alert on mismatches.
4

Maintain Audit Logs

Save attestation reports for compliance and debugging.
5

Monitor Hash Changes

Subscribe to updates when model code changes affect hashes.

FAQs

No. Verify periodically (e.g., once per hour) or when deploying to production. Continuous verification adds overhead.
No, if properly verified. The signature requires the TEE’s private key which never leaves secure hardware.
RedPill publishes hash updates when models are upgraded. Subscribe to notifications or check GitHub releases.
  • Phala models: Full attestation (gateway + model inference)
  • Other models: Gateway attestation only
  • Development: Once during integration
  • Production: Periodically (hourly/daily)
  • High-security: Every request or session

Next Steps

Signature Verification

Verify request/response signatures

Phala Models

Learn about confidential models

API Reference

Attestation API documentation

GitHub Hashes

Latest expected code hashes