High-level Attestation Architecture

​

Overview

Figure 1: Simple view of orchestrator and inference attestation.

​

What attestation proves

• Genuine enclave: The connection is established between the client device and secure hardware created by the manufacturer (e.g., NVIDIA).
• Auditability of code: The orchestration server and inference server are running inside secure hardware enclaves and all code that is open-source and published to a public transparency log for auditing purposes.
• Pinned model weights: The model weights are immutable and pinned to the transparency log, preventing model swapping or manipulation.

​

How it works (connection-time)

1. Fetches the orchestrator enclave attestation document (which contains signed runtime measurements) and verifies it.
2. Downloads the Sigstore bundle associated with the code release and verifies it to Sigstore’s root.
3. Compares the measured code in the enclave to the published measurements in the bundle.
4. Creates a TLS connection to the orchestrator enclave and checks that the TLS public key matches the key fingerprint included in the attestation document (preventing impersonation via a man-in-the-middle attack).

​

When it’s checked

• Connection-time (default): Verification happens automatically when your app connects.
• Audit-time (optional): You can retrieve and validate the same artifacts offline for audits. See the Verification Comparison.

​

Learn more

• Deep dive: Attestation Architecture
• Attestation formats (registers, schemas)