Automata TDX Attestation SDK

Overview

Automata TDX Attestation SDK is the most-feature complete SDK for Intel TDX development, it consists of two parts:

• TDX package: it helps developers to generate the Intel TDX Quote in different cloud service providers (CSP).
• Risc0 and Succinct ZK host and guest programs.

Environment Preparation

Refer to TDX package to setup the Intel TDX CVM in different cloud service providers (CSP).

Intel TDX Quote Generation

Use TDX package to generate the Intel TDX Quote, you can find an example in tdx_attestation.

Intel TDX Quote Verification

Verify Attestation on-chain

In Automata DCAP Attestation, We provide two ways to verify the Intel TDX quote on-chain:

function verifyAndAttestOnChain(bytes calldata rawQuote)

It accepts the raw quote hex string to perform the on-chain verification, all collaterals will be fetched from the Automata on-chain PCCS.

function verifyAndAttestWithZKProof(bytes calldata output, ZkCoProcessorType zkCoprocessor, bytes calldata proofBytes)

The first parameter represents the output of the zkVM, the second one is the zkVM type, and the third one is its corresponding proof. It supports two kinds of ZK technologies to perform the on-chain verification:

• Risc0

  • output: the journal of the Risc0 zkVM output
  • zkCoprocessor: 1
  • proofBytes: the seal of the Risc0 zkVM output

• SP1

  • output: the execution result of the SP1 Prover output
  • zkCoprocessor: 2
  • proofBytes: the proof of the SP1 Prover output

The on-chain verification contract has been deployed to Automata Testnet at 0x6D67Ae70d99A4CcE500De44628BCB4DaCfc1A145.

The ImageID currently used for the DCAP RiscZero Guest Program is 83613a8beec226d1f29714530f1df791fa16c2c4dfcf22c50ab7edac59ca637f.

The VKEY currently used for the DCAP SP1 Program is 0043e4e0c286cf4a2c03472ca2384f35a008558bc5de4e0f39d1d1bc989badca.

An useful DCAP zkVM clis can be found at Automata DCAP zkVM CLI.

Verify Attestation off-chain

Please follow Intel official DCAP repo SGXDataCenterAttestationPrimitives to perform the off-chain verification.

ZK Optimization

Risc0

To get started, you need to have the following installed:

• Rust
• Foundry
• RISC Zero

Configuring Bonsai

Note: To request an API key complete the form here.

With the Bonsai proving service, you can produce a [Groth16 SNARK proof] that is verifiable on-chain. You can get started by setting the following environment variables with your API key and associated URL.

export BONSAI_API_KEY="YOUR_API_KEY" # see form linked above
export BONSAI_API_URL="BONSAI_URL" # provided with your api key

Succinct

To get started, you need to have the following installed:

• Rust
• SP1
• Docker

Note: To request an whitelisted address, complete the form here.

With the SP1 Proving Network, you can produce a [Groth16 SNARK proof] or [Plonk SNARK proof] that is verifiable on-chain. You can get started by setting the following environment variables with your whitelisted address and associated Proving Network.

export SP1_PROVER=network
export SP1_PRIVATE_KEY=""

Acknowledgements

We would like to acknowledge the projects below whose previous work has been instrumental in making this project a reality.

• Risc0: The Risc0 ZK Optimization to reduce the gas cost to verify the Intel TDX Quote on-chain.
• SP1: The Succinct ZK Optimization to reduce the gas cost to verify the Intel TDX Quote on-chain. It supports Groth16 and Plonk proofs.

Disclaimer

This project is under development. All source code and features are not production ready.