Crate bitrouter_attestation

Expand description

§bitrouter-attestation

Provider-agnostic, client-side confidential-inference verification. The central abstraction is ConfidentialVerifier: given a model and a nonce it proves (L1) the serving endpoint is genuine TEE hardware running the legitimate, policy-pinned model, and given an exact request/response it proves (L1.5) that exchange ran in that TEE unmodified.

The design mirrors private-ai-gateway’s UpstreamVerifier / UpstreamVerifiedEvent normalization, but runs in the caller’s own trusted process (bitrouter-cli’s local daemon) instead of inside an attested re-signing gateway — so it needs no TEE of its own. See the refactor spec (bitrouter-cloud/docs/bitrouter-attestation-plugin.md).

This crate is intentionally pure: no SDK, axum, or server dependency, so it ships in the daemon, the bitrouter verify CLI, the cloud /v1/aci/verify endpoint, and third-party clients alike.

Structs§

AciDcapVerifierPolicy: The pinned acceptance policy. Constructed once at boot from operator config; every field is normalized so config and report compare equal regardless of hex casing or EC encoding framing.
AttestationCache: A model → (verdict, expiry) cache. Cloneable handle over shared state.
AttestationChecks: The per-check breakdown of an attestation, mirroring private-ai-gateway’s AciDcapVerifier check set (src/aci/verifier/dcap.rs). Every field is surfaced so a caller can see why a verdict is (un)verified, gateway-style.
AttestationInfo: The dstack info block. Source of the policy-pinning fields (spec §1.5 Decision 8). These map to the ported DCAP policy’s pins (see crate::near::dcap::model_identity).
AttestationReport: Top-level report body: { gateway_attestation, model_attestations }.
AttestationVerdict: L1 verdict: the model endpoint is genuine TEE hardware running the legitimate (policy-pinned) model. Yields the attested signing identity set that L1.5 binds a chat signature to.
ChatSignature: NEAR’s per-chat signature response (GET {base}/v1/signature/{chat_id}).
DcapQuoteVerifier: Production QuoteVerifier: full DCAP verification against a PCCS.
DstackEvent: One dstack measured-boot event. Each event with imr == 3 extends RTMR3 by RTMR3 = sha384(RTMR3 ‖ digest); event names it ("app-id", "compose-hash", …) and event_payload is the measured value.
ExchangeInput: The exact bytes of one request/response exchange to verify (L1.5).
MockTransport: In-memory transport that replays a canned report — the verifier’s offline test seam. Public so the plugin/daemon can reuse it in their own tests.
ModelAttestation: One serving node’s attestation of a model.
ModelIdentity: The identity fields a ModelAttestation presents to the policy, extracted from its info block (Decision 8).
NearVerifier: The NEAR ConfidentialVerifier. Composes the report fetch, GPU NRAS check, DCAP quote verification, report_data/compose bindings, and the load-bearing policy pin into a single AttestationVerdict, fail-closed at every step (spec §1.5 cond. 3) and TTL-cached.
NrasVerdict: Outcome of checking an NRAS EAT. Every field must hold for Self::passed.
NvidiaEatKey: Resolves the NVIDIA NRAS EAT verification key. Wraps jsonwebtoken so callers (the daemon, the CLI, third parties) don’t take a direct jsonwebtoken dependency. NVIDIA rotates its signing keys, so the right one is selected per request by the EAT’s kid — use Self::fetch_jwks (NVIDIA_NRAS_JWKS_URL) for that. Self::from_ec_pem pins a single key. Pin/fetch in the trusted process — never through the untrusted cloud (§1.5).
ReqwestTransport: Live reqwest transport pointed at a provider base URL (e.g. the cloud’s /v1/aci passthrough, or https://cloud-api.near.ai/v1).
TcbInfo: The dstack tcb_info sub-block. We model only app_compose — the raw compose document whose sha256 must equal compose_hash (Task 3’s compose↔mr_config binding). The base registers (mrtd, rtmr0..2) reported here are self-declared cloud metadata and are not trusted: the verdict path asserts the quote’s decoded base registers against the policy’s pinned reference bundle (crate::AciDcapVerifierPolicy::accepts_base_measurements, issue #567), and binds rtmr3 via the event-log replay (crate::event_log_binds_info).
TdxMeasurements: The measurement registers and report_data decoded from a TDX quote.
VerifiedExchange: L1.5 result: a specific exchange provably ran in the attested TEE unmodified. ← gateway’s UpstreamVerifiedEvent, normalized and client-side.
VerifierRegistry: Dispatches by provider so the daemon/cloud can hold one handle and serve many confidential providers. ← gateway’s RoutingUpstreamVerifier. NEAR is the only impl today; the registry exists so Tinfoil/Phala/AciGateway slot in without touching callers.

Enums§

IntegrityProof: Each provider’s native integrity proof — the portable artifact a third party could re-check. Mirrors the gateway’s evidence/ChannelBinding, but kept provider-native rather than normalized to one receipt shape.
PolicyError
VerifyError: Errors a ConfidentialVerifier can return. Note that a failed verification is not an error — it is a verdict with verified=false (fail-closed). VerifyError is reserved for the verifier being unable to even reach a verdict it can trust (misconfiguration, malformed input).

Constants§

DEFAULT_CACHE_TTL_SECONDS: Default verdict cache TTL (spec §8).
NRAS_GPU_URL: NVIDIA NRAS GPU attestation endpoint.
NVIDIA_NRAS_JWKS_URL: NVIDIA’s NRAS JWKS endpoint — the rotating set of EAT signing keys.
PHALA_PCCS_URL: Default Phala PCCS endpoint for DCAP collateral, re-exported so callers can pin it in the daemon rather than fetch a URL through the untrusted cloud.
SIGNING_ALGO: The signing algorithm bitrouter requests and verifies (spec Decision 7): secp256k1 ECDSA with EIP-191 recovery, matching NEAR’s published vector.
TRUST_BOUNDARY: Honest trust-boundary label: we verify NEAR’s model quote directly, not (as nearai.py does) trust NEAR’s gateway.

Traits§

ConfidentialVerifier: Verifies confidential inference for one provider family, client-side.
QuoteVerifier: Strategy for turning a raw TDX quote into measurements, abstracted so the composing verifier can be unit-tested offline. The production DcapQuoteVerifier performs full DCAP verification (Intel signature + collateral); tests substitute a parse-only stub.
ReportTransport: Fetches confidential-inference evidence for a provider. Mockable so the verifier’s crypto runs offline in CI.

Functions§

chat_signing_text: The exact text the TEE signs: "{model}:{sha256(req)}:{sha256(resp)}".
check_nras_eat: Verify an NRAS response: EAT signature against decoding_key, the overall result claim, and that the EAT nonce echoes nonce. Fails closed (returns a failed verdict) on a malformed body or a bad signature, never an error — the caller folds the verdict straight into crate::AttestationChecks.
compose_matches_mr_config: True iff sha256(app_compose) (hex) equals mr_config (case-insensitive), proving the running config is the measured one.
event_log_binds_info: True iff the event log replays to the quote’s RTMR3 and records exactly the info fields the policy trusts. This is what anchors app_id, compose_hash, os_image_hash, and key_provider_info to the genuine TEE measurement. Any mismatch ⇒ false (fail-closed).
model_identity: Extract the policy-relevant identity from a model’s info block: workload_id ← app_id, image_digests ← {os_image_hash, compose_hash}, kms_root ← key_provider_info.id (spec §1.5 Decision 8). The compose container @sha256 digests are additional image pins that can be folded in later without changing this shape.
parse_tdx_quote: Decode measurements from a raw TDX quote without network collateral. Offline and deterministic; does not prove Intel signed the quote.
post_nras: POST a model’s nvidia_payload to NRAS and return the raw response body. Online; the daemon calls this directly (not through the untrusted cloud). Errors are transport-level; claim/signature checking is check_nras_eat.
recover_eip191_address: Recover the 0x-prefixed Ethereum address that produced signature_hex over message under EIP-191. signature_hex is 65 bytes (r ‖ s ‖ v), hex, with or without a 0x prefix. Returns None on any malformed input — the caller folds that into a fail-closed verdict.
replay_rtmr: Replay the dstack event log into the register imr: mr ← sha384(mr ‖ digest) for each matching event, starting from zero. Returns None if a digest is unparseable or the result isn’t 48 bytes.
report_data_binds: True iff report_data (the 64 bytes from the verified TDX quote) binds signing_address in its first 32 bytes (20-byte address, zero-padded) and the 32-byte nonce in its last 32 bytes — the “standard” dstack mode.
sha256_hex: sha256(bytes) as lowercase hex — the request/response hashes in the text.
verify_tdx_quote: Full DCAP verification: fetch collateral from pccs_url, verify Intel’s signature and TCB at now_unix, and return the measurements from the verified report. Network-dependent.