Understanding Verifiability

Enclave verifiability is a critical security feature that allows users to confirm that code is running in a genuine, unmodified secure enclave environment. Tinfoil’s integrity features ensure that all code and data remain unchanged and verifiable through cryptographic remote attestation performed with the Trusted Execution Environment (TEE). When connecting to a Tinfoil enclave, the Tinfoil client automatically verifies the enclave’s attestation and compares the runtime code measurement (signed hash of the code running inside the enclave) to the measurement of the code committed to by Tinfoil on GitHub and Sigstore.
Attestation verification is performed automatically by the Tinfoil client library. This happens transparently without requiring explicit developer action, but can be customized for advanced use cases.

Attestation Process

The attestation process establishes a chain of trust from the hardware level up to the application level. Each step builds upon the security guarantees of the previous one to create a chain of trust connecting the hardware to the publicly auditable code it is running.

How It Works

  1. Hardware Authentication The process begins by verifying the authenticity of the physical hardware components. This step ensures the enclave is running on genuine confidential computing chips with proper security features enabled, not on simulated or otherwise compromised hardware.
    • Verify genuine Intel or AMD confidential computing hardware
    • Validate hardware security mechanisms
    • Confirm hardware security features are enabled
  2. Configuration Verification Once hardware authenticity is confirmed, the system validates that all security-critical settings are properly configured. This ensures the secure enclave environment is set up with the correct parameters and isolation boundaries.
    • Check security settings
    • Validate memory encryption
    • Verify isolation parameters
  3. Code Measurement The system creates cryptographic measurements (hashes) of all code and configuration files being loaded into the enclave. These unique identifiers ensure that only authorized, unmodified code can run within the secure environment.
    • Generate unique code identifiers
    • Verify against known good values
    • Prevent unauthorized modifications
  4. Runtime Verification The system provides mechanisms to verify the integrity of the running environment. This verification ensures that the security properties remain intact and allows clients to verify the enclave’s state on demand.
    • Integrity verification on request
    • Attestation report generation
    • Automatic validation by clients

Attestation Chain of Trust

The attestation chain is established through a series of cryptographic validations:
  1. Hardware Root of Trust: Hardware manufacturers (Intel, AMD, NVIDIA) embed cryptographic keys in their processors
  2. Firmware Validation: Hardware validates firmware integrity during boot
  3. TEE Initialization: Firmware initializes the TEE with verified security parameters
  4. Enclave Measurement: TEE measures loaded code and creates cryptographic evidence
  5. Attestation Report: TEE signs the measurements with hardware keys
  6. Verification: Clients verify signatures and measurements against known good values
  7. Transparency Log: Code measurements are recorded on Sigstore for public auditability

Technical Implementation

The attestation flow illustrates the key steps in verifying an enclave’s authenticity and integrity. When a client needs to verify the trustworthiness of an enclave, it initiates a multi-step process involving hardware-level verification and code measurements. The enclave requests a cryptographically signed report from the underlying hardware (signed by Intel or AMD’s attestation root keys), which proves the environment’s authenticity. This evidence is then shared with the client, who can verify both the hardware attestation and the code measurements against Sigstore’s transparency log to ensure the enclave is running the expected, unmodified code.

Attestation Flow

The Sigstore verification step provides an auditable proof that the binary running in the enclave matches the source code published by Tinfoil, establishing a verifiable link from source to execution environment.

Integrity Guarantees

What We Verify

Best Practices

When implementing integrity verification:

Always Verify Attestation

  • Check attestation before sending sensitive data
  • Implement automatic verification in clients
  • Monitor attestation status

Track Code Versions

  • Maintain list of valid measurements
  • Update verification when deploying
  • Monitor transparency logs

Implement Monitoring

  • Set up alerts for verification failures
  • Track attestation metrics
  • Monitor enclave health

Regular Audits

  • Review attestation logs
  • Verify deployment procedures
  • Check configuration settings