Skip to main content

Crate atlas_rs

Crate atlas_rs 

Source
Expand description

aTLS Verifier Library

This library provides verifier implementations for Attested TLS (aTLS).

§Overview

The library provides two ways to verify TEE attestation:

  1. High-level API: Use atls_connect to establish a TLS connection with attestation verification in a single call.

  2. Low-level API: Use the AtlsVerifier trait directly for custom TLS handling.

§Features

  • TDX Attestation: Full TDX quote verification using Intel DCAP
  • Bootchain Verification: Verify MRTD and RTMR0-2 measurements
  • Event Log Replay: Verify RTMR3 by replaying event logs
  • App Compose Verification: Verify application configuration hash
  • OS Image Verification: Verify the OS image hash
  • Certificate Binding: Verify TLS certificate is bound to the TEE

For architecture details and how to extend with new TEE verifiers, see ARCHITECTURE.md.

§High-Level Example

use atlas_rs::{atls_connect, Policy, DstackTdxPolicy};

// Connect with development policy (relaxed TCB status)
let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
let policy = Policy::DstackTdx(DstackTdxPolicy::dev());
let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, None).await?;

// Access report data via pattern matching
match &report {
    atlas_rs::Report::Tdx(tdx_report) => {
        println!("TCB Status: {}", tdx_report.status);
    }
}

§Low-Level Example

use atlas_rs::{DstackTDXVerifier, AtlsVerifier};
use atlas_rs::tdx::ExpectedBootchain;
use serde_json::json;

let verifier = DstackTDXVerifier::builder()
    .app_compose(json!({
        "runner": "docker-compose",
        "docker_compose_file": "..."
    }))
    .expected_bootchain(ExpectedBootchain {
        mrtd: "abc123...".to_string(),
        rtmr0: "def456...".to_string(),
        rtmr1: "ghi789...".to_string(),
        rtmr2: "jkl012...".to_string(),
    })
    .os_image_hash("86b181...")
    .build()
    .unwrap();

// Use the verifier with a TLS stream (async)
let report = verifier.verify(&mut tls_stream, &peer_cert, &session_ekm, "hostname").await?;
match &report {
    atlas_rs::Report::Tdx(tdx_report) => {
        println!("TCB Status: {}", tdx_report.status);
    }
}

Re-exports§

pub use connect::atls_connect;
pub use policy::Policy;
pub use dstack::DstackTDXVerifier;
pub use dstack::DstackTDXVerifierBuilder;
pub use dstack::DstackTDXVerifierConfig;
pub use dstack::DstackTdxPolicy;
pub use tdx::ExpectedBootchain;
pub use tdx::TCB_STATUS_LIST;
pub use error::AtlsVerificationError;
pub use verifier::AsyncByteStream;
pub use verifier::IntoVerifier;
pub use verifier::AtlsVerifier;
pub use verifier::Report;
pub use verifier::Verifier;

Modules§

connect
High-level aTLS connection API.
dstack
Dstack-specific TDX verifier implementation.
error
Error types for aTLS verification.
logging
Logging initialization for atlas-rs.
policy
Attestation policy types.
tdx
Generic TDX types and utilities.
verifier
aTLS verifier trait definition.

Structs§

TlsStream
A wrapper around an underlying raw stream which implements the TLS or SSL protocol.
VerifiedReport

Traits§

AsyncRead
Reads bytes from a source.
AsyncReadExt
Reads bytes from a source.
AsyncWrite
Writes bytes asynchronously.
AsyncWriteExt
Writes bytes to a sink.