atlas_rs/lib.rs
1//! aTLS Verifier Library
2//!
3//! This library provides verifier implementations for Attested TLS (aTLS).
4//!
5//! # Overview
6//!
7//! The library provides two ways to verify TEE attestation:
8//!
9//! 1. **High-level API**: Use [`atls_connect`] to establish a TLS connection with
10//! attestation verification in a single call.
11//!
12//! 2. **Low-level API**: Use the [`AtlsVerifier`] trait directly for custom TLS handling.
13//!
14//! # Features
15//!
16//! - **TDX Attestation**: Full TDX quote verification using Intel DCAP
17//! - **Bootchain Verification**: Verify MRTD and RTMR0-2 measurements
18//! - **Event Log Replay**: Verify RTMR3 by replaying event logs
19//! - **App Compose Verification**: Verify application configuration hash
20//! - **OS Image Verification**: Verify the OS image hash
21//! - **Certificate Binding**: Verify TLS certificate is bound to the TEE
22//!
23//! For architecture details and how to extend with new TEE verifiers, see
24//! [ARCHITECTURE.md](https://github.com/anthropics/atls/blob/main/core/ARCHITECTURE.md).
25//!
26//! # High-Level Example
27//!
28//! ```no_run
29//! use atlas_rs::{atls_connect, Policy, DstackTdxPolicy};
30//!
31//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
32//! // Connect with development policy (relaxed TCB status)
33//! let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
34//! let policy = Policy::DstackTdx(DstackTdxPolicy::dev());
35//! let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, None).await?;
36//!
37//! // Access report data via pattern matching
38//! match &report {
39//! atlas_rs::Report::Tdx(tdx_report) => {
40//! println!("TCB Status: {}", tdx_report.status);
41//! }
42//! }
43//! # Ok(())
44//! # }
45//! ```
46//!
47//! # Low-Level Example
48//!
49//! ```no_run
50//! use atlas_rs::{DstackTDXVerifier, AtlsVerifier};
51//! use atlas_rs::tdx::ExpectedBootchain;
52//! use serde_json::json;
53//!
54//! # async fn example() -> Result<(), Box<dyn std::error::Error>> {
55//! let verifier = DstackTDXVerifier::builder()
56//! .app_compose(json!({
57//! "runner": "docker-compose",
58//! "docker_compose_file": "..."
59//! }))
60//! .expected_bootchain(ExpectedBootchain {
61//! mrtd: "abc123...".to_string(),
62//! rtmr0: "def456...".to_string(),
63//! rtmr1: "ghi789...".to_string(),
64//! rtmr2: "jkl012...".to_string(),
65//! })
66//! .os_image_hash("86b181...")
67//! .build()
68//! .unwrap();
69//!
70//! // Use the verifier with a TLS stream (async)
71//! # let mut tls_stream: tokio_rustls::client::TlsStream<tokio::net::TcpStream> = todo!();
72//! # let peer_cert: Vec<u8> = todo!();
73//! # let session_ekm: Vec<u8> = todo!();
74//! let report = verifier.verify(&mut tls_stream, &peer_cert, &session_ekm, "hostname").await?;
75//! match &report {
76//! atlas_rs::Report::Tdx(tdx_report) => {
77//! println!("TCB Status: {}", tdx_report.status);
78//! }
79//! }
80//! # Ok(())
81//! # }
82//! ```
83
84pub mod connect;
85pub mod dstack;
86pub mod error;
87pub mod logging;
88pub mod policy;
89pub mod tdx;
90pub mod verifier;
91
92// High-level API
93pub use connect::{atls_connect, TlsStream};
94pub use policy::Policy;
95
96// Dstack-specific (backward compatible re-exports)
97// NOTE: compose_hash NOT exposed at root - access via dstack::compose_hash
98pub use dstack::{DstackTDXVerifier, DstackTDXVerifierBuilder, DstackTDXVerifierConfig, DstackTdxPolicy};
99
100// Generic TDX
101pub use tdx::{ExpectedBootchain, TCB_STATUS_LIST};
102
103// Low-level API
104pub use error::AtlsVerificationError;
105pub use verifier::{
106 AsyncByteStream, AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt, IntoVerifier, AtlsVerifier,
107 Report, Verifier,
108};
109
110// Re-export VerifiedReport from dcap-qvl for bindings
111pub use dcap_qvl::verify::VerifiedReport;