Klave logo

TEE Attestation

Klave provides comprehensive TEE Attestation capabilities for your applications. The Klave attestation system enables applications to generate cryptographic proofs of their execution environment and verify the integrity of remote attestations.

Attestation quotes are cryptographically signed statements that prove an application is running in a genuine trusted execution environment (TEE). These quotes contain measurements of the application code, platform configuration, and other security-relevant information that can be verified by external parties.

The quotes returned by applications running on Klave a Intel SGX quotes.

To learn more about attestation fundamentals, check out Trusted Execution Environment (TEE) and Attestation.

Generating Attestation Quotes

The getQuote function generates an attestation quote using a provided challenge/report data and return a binary Intel SGX quote (Quote3).

ModuleOperationParametersReturnsBehavior
AttestationgetQuotechallenge: u8[]Result<Uint8Array, Error>Generate a TEE attestation quote using the provided challenge bytes. Returns the Intel SGX raw quote data that can be verified by external parties.

Quote generation is not a deterministic operation and can be called only from a query contexts. The operation includes randomness and current system state.

import { Attestation, Crypto, Notifier } from '@klave/sdk';
 
@serializable
export class QuoteRequest {
    challenge!: u8[];
}
 
/**
 * @query
 */
export function getQuote(input: QuoteRequest): void {
    // Generate attestation quote
    let quoteResult = Attestation.getQuote(Crypto.Utils.convertToUint8Array(input.challenge));
    
    if (quoteResult.err) {
        Notifier.sendString("Failed to generate quote: " + quoteResult.err!.message);
        return;
    }
 
    let quote = quoteResult.data!;
}

Parsing Attestation Quotes

The parseQuote function parses raw TEE attestation quotes into structured data.

ModuleOperationParametersReturnsBehavior
AttestationparseQuotebinaryQuote: Uint8ArrayResult<ParsedQuote, Error>Parse a raw TEE attestation quote into its structured components. Automatically detects and handles both Quote3 (SGX) and Quote4 (TDX) formats.

Quote parsing is deterministic and can be called from any context. The function automatically detects the quote version (3 for SGX, 4 for TDX).

import { Attestation, Crypto, Notifier } from '@klave/sdk';
 
@json
export class QuoteBinary {
    quote!: Array<u8>;
}
 
/**
 * @query
 */
export function parseQuoteData(input: QuoteBinary): void {
    // Parse the quote
    let quoteResult = Attestation.parseQuote(Crypto.Utils.convertToUint8Array(input.quote));
 
    if (quoteResult.err) {
        Notifier.sendString("Failed to parse quote: " + quoteResult.err!.message);
        return;
    }
 
    let parsedQuote = quoteResult.data!;
}

Verifying Attestation Quotes

The verifyQuote function verifies the cryptographic integrity and validity of attestation quotes. It leverages our own DCAP server and quote verification capabilities.

ModuleOperationParametersReturnsBehavior
AttestationverifyQuotecurrent_time: i64, binaryQuote: Uint8ArrayResult<QuoteVerificationResponse, Error>Verify the cryptographic integrity and validity of an attestation quote using the current timestamp.

Quote verification is not a deterministic operation and can be called only from a query contexts. Quote verification requires an accurate timestamp to validate certificate chains. Always use trusted time sources.

import { Attestation, Crypto, Notifier } from '@klave/sdk';
 
@serializable
export class VerifyQuoteInput {
    quoteBytes!: u8[];
    timestamp!: i64;
}
 
/**
 * @query
 */
export function verifyQuote(input: VerifyQuoteInput): void {
    // Verify the quote
    let verifyResult = Attestation.verifyQuote(input.timestamp, Crypto.Utils.convertToUint8Array(input.quoteBytes));
    if (verifyResult.err) {
        Notifier.sendString("Failed to verify quote: " + verifyResult.err!.message);
        return;
    }
    
    let verification = verifyResult.data!;
}

Best Practices

  1. Challenge Security: Always use cryptographically secure random challenges of 64 bytes length
  2. Time Accuracy: Ensure accurate timestamps when verifying quotes to properly validate certificate chains
  3. Error Handling: Check all verification results and handle both cryptographic failures and policy violations
  4. Quote Freshness: Verify quotes promptly after generation as supporting certificates have limited validity
  5. Platform Support: Handle both Quote3 (SGX) and Quote4 (TDX) formats for broad compatibility
Edit on GitHub

Last updated on

Previous

Subtle Crypto

Next

PostGreSQL Management

On this page