Enclave Verification
High-level Attestation Architecture
High‑level overview of how Tinfoil verifies proxy and inference code before exchanging data.
Overview
This page explains attestation in Tinfoil at a glance. It focuses on the two code paths you interact with: the Proxy server that routes your request, and the Inference server that runs the model. Both run inside secure enclaves and both present verifiable evidence of what code is running before any data is exchanged.
Figure 1: Simple view of proxy and inference attestation.
What attestation proves
- Genuine enclave: The connection is established between the client device and a secure hardware on a chip that was created by the manufacturer (e.g., NVIDIA).
- Auditability of code: The proxy server and inference server are running inside secure hardware enclaves and all code that is open-source and published to a public transparency log for auditing purposes.
- Pinned model weights: The model weights are immutable and pinned to the transparency log, preventing model swapping or manipulation.
How it works (connection-time)
Before sending any application data, the Verifier SDK running client-side verifiers the attestation:- Fetches the proxy enclave attestation document (which contains signed runtime measurements) and verifies it.
- Downloads the Sigstore bundle associated with the code release and verifies it to Sigstore’s root.
- Compares the measured code in the enclave to the published measurements in the bundle.
- Creates a TLS connection to the Proxy secure enclave and checks that the TLS public key matches the key fingerprint included in the attestation document (preventing impersonation of the secure enclave via a man-in-the-middle attack).
The Proxy enclave automatically checks the attestation of the inference enclave creating a chain of attestations. The client-side verifier only needs to check the attestation of the Proxy enclave, which is enough to ensure other attestations are validated as well.
When it’s checked
- Connection-time (default): Verification happens automatically when your app connects.
- Audit-time (optional): You can retrieve and validate the same artifacts offline for audits. See the Verification Comparison.