TinfoilAdapter: ERC-733 §C TEE Proof + Tinfoil-Containers third-party leg#1
Open
amiller wants to merge 3 commits into
Open
TinfoilAdapter: ERC-733 §C TEE Proof + Tinfoil-Containers third-party leg#1amiller wants to merge 3 commits into
amiller wants to merge 3 commits into
Conversation
TinfoilAdapter implements the spec's TEE Proof verification path: heavy SEV-SNP / TDX / Sigstore / dm-verity verification is offloaded to an off-chain tinfoil-go-verifier CVM, itself attested by DstackVerifier and registered as a bridge member. On-chain check is ecrecover + bridge-member lookup; signer must have codeId == canonical-verifier image. No admin signer allowlist — trust composes through the bridge. Test exercises tinfoil-go's real cryptographic verification (not a mock): - tools/tinfoil-verify-helper/ links the vendored Go verifier and invokes attestation.VerifyAttestationJSON() against vendored SEV-SNP vector and live https://atc.tinfoil.sh/attestation. Verification must pass before any contract call. Verified MEASUREMENT becomes the on-chain codeId; HPKE pubkey + TLS fingerprint go into userData. - test_e2e_bridge_tinfoil_proof.py drives the full chain on local anvil: KMS root → DstackVerifier → tinfoil-go-verifier CVM (synthetic) → real Tinfoil attestation → registered target → ECIES handshake. Negatives cover signer-not-registered, signer-wrong-codeId, sig/pubkey-binding mismatch. What's still synthetic: the verifier CVM's encumbered key (Account.create stand-in for a real dstack CVM running tinfoil-go-verifier), dstack KMS root, Sigstore bundle check, dm-verity root binding. Documented honestly in notes/TINFOIL.md including the path to Tier 2 (Automata SP1→Groth16 SEV-SNP verifier on-chain) and Tier 3 (P-384 in pure Solidity).
…er leg Extends the helper, e2e test, and adds a CI workflow so the bridge can register and exchange secrets with `*.containers.tinfoil.dev` deploys — not just the managed-inference router at atc.tinfoil.sh. - tools/tinfoil-verify-helper: new `--source host --host <hostname>` mode using attestation.Fetch() against /.well-known/tinfoil-attestation (third-party containers do not publish to the ATC bundle path) - test_e2e_bridge_tinfoil_proof.py: target C, gated on TINFOIL_CONTAINER_HOST so the test stays runnable without admin-key access; adds a C → A ECIES handshake demonstrating cross-leg secret sharing across Tinfoil's two product surfaces - .github/workflows/tinfoil-leg.yml: daily CI that runs the full e2e Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The audit container the previous default pointed at was a transient probe that has been torn down. Operators with admin access to a Tinfoil org can deploy their own and pass it via workflow_dispatch input. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Finishes the TinfoilAdapter side of the bridge — completes the cross-leg secret-sharing fabric for Tinfoil's two product surfaces (managed inference + third-party containers).
contracts/TinfoilAdapter.sol(commit 31f805e) — implements ERC-733 §C "TEE Proof" pattern: heavy SEV-SNP / TDX / Sigstore / dm-verity verification offloaded to an off-chain TEE runningtinfoil-go; that TEE's encumbered key (rooted in TEEBridge itself viaDstackVerifier) signs envelopes the adapter accepts. ~150K gas.tools/tinfoil-verify-helper— added--source host --host <hostname>mode usingattestation.Fetch()against/.well-known/tinfoil-attestation. Required because Tinfoil-Containers third-party deploys do not publish toatc.tinfoil.sh; the bundle path only covers managed inference.test_e2e_bridge_tinfoil_proof.py— adds target C, gated onTINFOIL_CONTAINER_HOSTso the test stays runnable in CI without admin-key access. Adds a C → A ECIES handshake demonstrating cross-leg secret sharing..github/workflows/tinfoil-leg.yml— daily CI that runs the full e2e (anvil + forge + Go helper + Python).E2E result (local)
Related
The third-party container leg is exercised against
devproof-hello.andrew-miller.containers.tinfoil.dev, whose attestation surface is the subject of the tinfoil-confidential-containers DEVPROOF report (operator-side audit; finds an undetectable-from-outside--variableenv-injection class).Test plan
python3 test_e2e_bridge_tinfoil_proof.py(no env var) — A and B verified, A→B handshake ✓TINFOIL_CONTAINER_HOST=devproof-hello.andrew-miller.containers.tinfoil.dev python3 test_e2e_bridge_tinfoil_proof.py— A, B, C verified, A→B and C→A handshakes ✓tools/tinfoil-verify-helper/tinfoil-verify --source host --host <h>returns valid Verification struct--source vendored-sevand--source livepaths unaffected🤖 Generated with Claude Code