Skip to content

refactor(attestation): extract attestation-types crate without dcap-qvl #3245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
pbeza wants to merge 3 commits into
base: feat/tee-verifier-contract
Choose a base branch
from
Draft

refactor(attestation): extract attestation-types crate without dcap-qvl #3245

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2e70aa9
feat(tee-verifier-interface): Borsh DTOs for the verifier contract bo…
pbeza May 14, 2026
43413b5
feat(tee-verifier): stateless dcap_qvl::verify wrapper contract
pbeza May 14, 2026
6d62b22
refactor(attestation): extract `attestation-types` crate without dcap…
pbeza May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 41 additions & 3 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ resolver = "3"
members = [
"crates/attestation",
"crates/attestation-cli",
"crates/attestation-types",
"crates/backup-cli",
"crates/chain-gateway",
"crates/chain-gateway-test-contract",
Expand All @@ -28,6 +29,8 @@ members = [
"crates/tee-authority",
"crates/tee-context",
"crates/tee-launcher",
"crates/tee-verifier",
"crates/tee-verifier-interface",
"crates/test-migration-contract",
"crates/test-parallel-contract",
"crates/test-port-allocator",
Expand All @@ -46,6 +49,7 @@ repository = "https://github.com/near/mpc"
[workspace.dependencies]
#workspace members
attestation = { path = "crates/attestation" }
attestation-types = { path = "crates/attestation-types" }
chain-gateway = { path = "crates/chain-gateway" }
chain-gateway-test-contract = { path = "crates/chain-gateway-test-contract" }
contract-history = { path = "crates/contract-history" }
Expand All @@ -66,6 +70,7 @@ near-mpc-sdk = { path = "crates/near-mpc-sdk", version = "0.0.1" }
near-mpc-signature-verifier = { path = "crates/near-mpc-signature-verifier", version = "0.0.1" }
node-types = { path = "crates/node-types" }
tee-authority = { path = "crates/tee-authority" }
tee-verifier-interface = { path = "crates/tee-verifier-interface" }
test-port-allocator = { path = "crates/test-port-allocator" }
test-utils = { path = "crates/test-utils" }
threshold-signatures = { path = "crates/threshold-signatures" }
Expand Down
30 changes: 30 additions & 0 deletions crates/attestation-types/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[package]
name = "attestation-types"
version = { workspace = true }
license = { workspace = true }
edition = { workspace = true }
repository = "https://github.com/near/mpc"

[features]
borsh-schema = ["borsh/unstable__schema", "tee-verifier-interface/borsh-schema"]
dstack-conversions = ["dep:dstack-sdk-types"]
test-utils = []

[dependencies]
borsh = { workspace = true }
derive_more = { workspace = true }
dstack-sdk-types = { workspace = true, optional = true }
hex = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
serde_with = { workspace = true }
sha2 = { workspace = true }
tee-verifier-interface = { workspace = true }
thiserror = { workspace = true }

[dev-dependencies]
dstack-sdk-types = { workspace = true }
rstest = { workspace = true }

[lints]
workspace = true
7 changes: 7 additions & 0 deletions crates/attestation-types/assets/event_log.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"imr": 0,
"event_type": 2147483659,
"digest": "8ae1e425351df7992c444586eff99d35af3b779aa2b0e981cb4b73bc5b279f2ade19b6a62a203fc3c3bbdaae80af596d",
"event": "",
"event_payload": "095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000"
}
216 changes: 216 additions & 0 deletions crates/attestation-types/assets/tcb_info.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,216 @@
{
"mrtd": "f06dfda6dce1cf904d4e2bab1dc370634cf95cefa2ceb2de2eee127c9382698090d7a4a13e14c536ec6c9c3c8fa87077",
"rtmr0": "e673be2f70beefb70b48a6109eed4715d7270d4683b3bf356fa25fafbf1aa76e39e9127e6e688ccda98bdab1d4d47f46",
"rtmr1": "b598fde9491427341bc4683b75d10d3e36770af3a36a6954d8b6b7b22aa66358f13e1f172e51b7d6e6710d99a8d8532f",
"rtmr2": "c812d42bfff1c75382e91a37c867ab117b97eb5e8d6797488928ea38e5fd38b5ed2f87d9613d392507f1c3af94657c93",
"rtmr3": "b7662ac19c27af648a939be042684bbdb43bb3dddf4cd17bb21f4d455ab1926c6ee57038152fc46ddea392c47eb2af27",
"os_image_hash": "7d47512fda31dc5a7318f72ae1869a3c76323981eea21fc30cafd0f79668642c",
"compose_hash": "cb9b2d6204f5e44238b75f69e3a3069550734c0d99ebdd3be507c238a261d8fa",
"device_id": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"app_compose": "{\n \"manifest_version\": 2,\n \"name\": \"mpc-localnet-one-node-1774945636\",\n \"runner\": \"docker-compose\",\n \"docker_compose_file\": \"version: '3.8'\\n\\nservices:\\n launcher:\\n image: nearone/mpc-launcher@sha256:1f54b55bad22c45067228a9262bc6377e393ca1a07edb64e691e80704f49b74e\\n\\n container_name: launcher\\n\\n environment:\\n - PLATFORM=TEE\\n - DOCKER_CONTENT_TRUST=1\\n - DEFAULT_IMAGE_DIGEST=sha256:6a5700fccbb3facddd1f3934f4976c4dcefc176c4aac28cd2fd035984b368980\\n\\n volumes:\\n - /var/run/docker.sock:/var/run/docker.sock\\n - /var/run/dstack.sock:/var/run/dstack.sock\\n - /tapp:/tapp:ro\\n - shared-volume:/mnt/shared:rw\\n\\n security_opt:\\n - no-new-privileges:true\\n\\n read_only: true\\n\\n tmpfs:\\n - /tmp\\n\\nvolumes:\\n shared-volume:\\n name: shared-volume\\n\",\n \"kms_enabled\": false,\n \"gateway_enabled\": false,\n \"local_key_provider_enabled\": true,\n \"key_provider_id\": \"\",\n \"public_logs\": true,\n \"public_sysinfo\": true,\n \"allowed_envs\": [],\n \"no_instance_id\": true,\n \"secure_time\": false\n}",
"event_log": [
{
"imr": 0,
"event_type": 2147483659,
"digest": "8ae1e425351df7992c444586eff99d35af3b779aa2b0e981cb4b73bc5b279f2ade19b6a62a203fc3c3bbdaae80af596d",
"event": "",
"event_payload": "095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000"
},
{
"imr": 0,
"event_type": 2147483658,
"digest": "344bc51c980ba621aaa00da3ed7436f7d6e549197dfe699515dfa2c6583d95e6412af21c097d473155875ffd561d6790",
"event": "",
"event_payload": "2946762858585858585858582d585858582d585858582d585858582d58585858585858585858585829000000c0ff000000000040080000000000"
},
{
"imr": 0,
"event_type": 2147483649,
"digest": "9dc3a1f80bcec915391dcda5ffbb15e7419f77eab462bbf72b42166fb70d50325e37b36f93537a863769bcf9bedae6fb",
"event": "",
"event_payload": "61dfe48bca93d211aa0d00e098032b8c0a00000000000000000000000000000053006500630075007200650042006f006f007400"
},
{
"imr": 0,
"event_type": 2147483649,
"digest": "6f2e3cbc14f9def86980f5f66fd85e99d63e69a73014ed8a5633ce56eca5b64b692108c56110e22acadcef58c3250f1b",
"event": "",
"event_payload": "61dfe48bca93d211aa0d00e098032b8c0200000000000000000000000000000050004b00"
},
{
"imr": 0,
"event_type": 2147483649,
"digest": "d607c0efb41c0d757d69bca0615c3a9ac0b1db06c557d992e906c6b7dee40e0e031640c7bfd7bcd35844ef9edeadc6f9",
"event": "",
"event_payload": "61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00"
},
{
"imr": 0,
"event_type": 2147483649,
"digest": "08a74f8963b337acb6c93682f934496373679dd26af1089cb4eaf0c30cf260a12e814856385ab8843e56a9acea19e127",
"event": "",
"event_payload": "cbb219d73a3d9645a3bcdad00e67656f0200000000000000000000000000000064006200"
},
{
"imr": 0,
"event_type": 2147483649,
"digest": "18cc6e01f0c6ea99aa23f8a280423e94ad81d96d0aeb5180504fc0f7a40cb3619dd39bd6a95ec1680a86ed6ab0f9828d",
"event": "",
"event_payload": "cbb219d73a3d9645a3bcdad00e67656f03000000000000000000000000000000640062007800"
},
{
"imr": 0,
"event_type": 4,
"digest": "394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0",
"event": "",
"event_payload": "00000000"
},
{
"imr": 0,
"event_type": 10,
"digest": "6dae15170c9fea6455681e3f838941a642ff9001a02a333e9ca8549af1db4ba47f01403e31dabe6e8a0b41ddd38b6d99",
"event": "",
"event_payload": "414350492044415441"
},
{
"imr": 0,
"event_type": 10,
"digest": "b3a62232ef6be064cce25a8b92cf55d4a6c099ee7a9c0852ce0c7d572393dae84895c0f59a9db5000f0b34a90c1b1bec",
"event": "",
"event_payload": "414350492044415441"
},
{
"imr": 0,
"event_type": 10,
"digest": "b6ed8ff3fca3c308f3f1ec7889054cc900b1c6dad9b14aedd0144d046626c81a5dbae47937f4949bb2d674a0bd699a7b",
"event": "",
"event_payload": "414350492044415441"
},
{
"imr": 1,
"event_type": 2147483651,
"digest": "69e0bbb3861d993ddd4b79b40bb31cdc58ed540c754574e3c8af2432c5ac88e751a3b37bcf55a2352bad236b6ff4dc5c",
"event": "",
"event_payload": "18e0fd7a00000000008485000000000000000000000000002a000000000000000403140072f728144ab61e44b8c39ebdd7f893c7040412006b00650072006e0065006c0000007fff0400"
},
{
"imr": 0,
"event_type": 2147483650,
"digest": "1dd6f7b457ad880d840d41c961283bab688e94e4b59359ea45686581e90feccea3c624b1226113f824f315eb60ae0a7c",
"event": "",
"event_payload": "61dfe48bca93d211aa0d00e098032b8c0900000000000000020000000000000042006f006f0074004f0072006400650072000000"
},
{
"imr": 0,
"event_type": 2147483650,
"digest": "23ada07f5261f12f34a0bd8e46760962d6b4d576a416f1fea1c64bc656b1d28eacf7047ae6e967c58fd2a98bfa74c298",
"event": "",
"event_payload": "61dfe48bca93d211aa0d00e098032b8c08000000000000003e0000000000000042006f006f0074003000300030003000090100002c0055006900410070007000000004071400c9bdb87cebf8344faaea3ee4af6516a10406140021aa2c4614760345836e8ab6f46623317fff0400"
},
{
"imr": 1,
"event_type": 2147483655,
"digest": "77a0dab2312b4e1e57a84d865a21e5b2ee8d677a21012ada819d0a98988078d3d740f6346bfe0abaa938ca20439a8d71",
"event": "",
"event_payload": "43616c6c696e6720454649204170706c69636174696f6e2066726f6d20426f6f74204f7074696f6e"
},
{
"imr": 1,
"event_type": 4,
"digest": "394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0",
"event": "",
"event_payload": "00000000"
},
{
"imr": 2,
"event_type": 6,
"digest": "67f31a01871425f296100b04393a310fbf18e0a1d2ac19270b5a4609227e0e5fbe6ab838ef5822699a9e7216003378f6",
"event": "",
"event_payload": "ed223b8f1a0000004c4f414445445f494d4147453a3a4c6f61644f7074696f6e7300"
},
{
"imr": 2,
"event_type": 6,
"digest": "dbfb59810302b3564182a02ae2fc5dcda5f8207380a7b18a9e6dd6fb648c33b1612eb10fb95ec620fb70b9c240ffda1c",
"event": "",
"event_payload": "ec223b8f0d0000004c696e757820696e6974726400"
},
{
"imr": 1,
"event_type": 2147483655,
"digest": "214b0bef1379756011344877743fdc2a5382bac6e70362d624ccf3f654407c1b4badf7d8f9295dd3dabdef65b27677e0",
"event": "",
"event_payload": "4578697420426f6f7420536572766963657320496e766f636174696f6e"
},
{
"imr": 1,
"event_type": 2147483655,
"digest": "0a2e01c85deae718a530ad8c6d20a84009babe6c8989269e950d8cf440c6e997695e64d455c4174a652cd080f6230b74",
"event": "",
"event_payload": "4578697420426f6f742053657276696365732052657475726e656420776974682053756363657373"
},
{
"imr": 3,
"event_type": 134217729,
"digest": "f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624",
"event": "system-preparing",
"event_payload": ""
},
{
"imr": 3,
"event_type": 134217729,
"digest": "8f4219433b1fbb548e8e3c9c0a308a09888871da6b0472f8b2057d14846b33f66d674ebaa5829f26e9ffb3d2745eb5ce",
"event": "app-id",
"event_payload": "cb9b2d6204f5e44238b75f69e3a3069550734c0d"
},
{
"imr": 3,
"event_type": 134217729,
"digest": "f53085ad730605df556bbe4617e942a89186705897eac8974656be41ddcc516a08c4d2b9135fbf8a0f25836c26e1c0d3",
"event": "compose-hash",
"event_payload": "cb9b2d6204f5e44238b75f69e3a3069550734c0d99ebdd3be507c238a261d8fa"
},
{
"imr": 3,
"event_type": 134217729,
"digest": "305a62e30e8f4ca791946c3ede6755cfacebe02be9101f0bccf2591509a0c8e8095bc83b3d53bfc5d70d6c7cf7813fc5",
"event": "instance-id",
"event_payload": ""
},
{
"imr": 3,
"event_type": 134217729,
"digest": "98bd7e6bd3952720b65027fd494834045d06b4a714bf737a06b874638b3ea00ff402f7f583e3e3b05e921c8570433ac6",
"event": "boot-mr-done",
"event_payload": ""
},
{
"imr": 3,
"event_type": 134217729,
"digest": "61ce56b6be756a9e45af7715b13c15040a4e6090cc740be24e2cc02e33b4fb53ae4e3c945c9af83e2a26c6d5efa414a8",
"event": "key-provider",
"event_payload": "7b226e616d65223a226c6f63616c2d736778222c226964223a2236623565643032653534396131633330616161386533313731613034356631663434396230303137333533656635393565373865333963333438633938643031227d"
},
{
"imr": 3,
"event_type": 134217729,
"digest": "ba51104636900268b0e059fa3d266419d079d1e94aea26fb9fcbb8d764bf4c89a67ac271b8a0d1a3989945132a111fc7",
"event": "storage-fs",
"event_payload": "7a6673"
},
{
"imr": 3,
"event_type": 134217729,
"digest": "1a76b2a80a0be71eae59f80945d876351a7a3fb8e9fd1ff1cede5734aa84ea11fd72b4edfbb6f04e5a85edd114c751bd",
"event": "system-ready",
"event_payload": ""
},
{
"imr": 3,
"event_type": 134217729,
"digest": "9aed81f5b1af85f768ef6873ed6f997f55f37de951cca18f5daa35890ab9e5573314d2e0cd188a6913dd4ab6f5455678",
"event": "mpc-image-digest",
"event_payload": "6a5700fccbb3facddd1f3934f4976c4dcefc176c4aac28cd2fd035984b368980"
}
]
}
0 crates/attestation/src/app_compose.rs → crates/attestation-types/src/app_compose.rs
View file
Open in desktop
File renamed without changes.
29 changes: 29 additions & 0 deletions crates/attestation-types/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
//! TEE attestation types and post-DCAP verification helpers, decoupled from
//! `dcap-qvl`.
//!
//! Crate contents:
//! - DTOs that `mpc-contract` and other consumers exchange and store:
//! [`tcb_info::TcbInfo`], [`app_compose::AppCompose`],
//! [`measurements::Measurements`] / [`measurements::ExpectedMeasurements`],
//! [`report_data::ReportData`].
//! - The post-DCAP verification helpers ([`verify_post_dcap`]): RTMR3 replay,
//! app-compose validation, TCB-status / advisory-id checks, measurement
//! matching. These operate on the
//! [`tee_verifier_interface::VerifiedReport`] mirror — *not* on the
//! `dcap_qvl` type — so this crate has no `dcap-qvl` dependency and can
//! be linked into consumer contracts without dragging in
//! `ring`/`webpki`/X.509.
//!
//! The `dcap_qvl::verify::verify` call itself lives elsewhere — in the
//! `attestation` crate for off-chain local verify, and in the
//! `tee-verifier` contract for cross-contract verify.

#![no_std]

extern crate alloc;

pub mod app_compose;
pub mod measurements;
pub mod report_data;
pub mod tcb_info;
pub mod verify_post_dcap;
Loading
Loading