What are attestations and why should you know about them?
Oh, you have some code running in your TEE? What makes you so sure that the code running there is actually yours? What if the code was tampered with before it started executing inside the TEE? Well…now that I have made you question all your life choices, lemme put you on some game.
“REMOTE ATTESTATIONS”.
Imagine there is a magic castle far from you that has a lot of powerful wizards, now this castle has a club which is an exclusive wizard club, that only real wizards can enter. You’re a prince from another kingdom who recently went on a dragon hunt and upon slaying it you found a forbidden spell scroll. To utilize the powers of this scroll you need a wizard’s help to transfer these powers to you via magic. The prince sends a letter to the castle explaining the existence of a forbidden scroll.
After a while, the prince (you) receives a letter saying:
Thank you, almighty <insert_your_prince_name>.
The contents of this scroll have been sought for almost 10,000 years. One can make the world a paradise or a complete living hell using its power.
I, Balthazar, one of the highest-ranking wizards, can help you utilize its power. You can send the scroll via a messenger or a pigeon to the castle.
The prince sees this and immediately thinks, “What if this isn’t Balthazar, but the evil sorcerer Jinmok Nug?” Since the forbidden scroll is so important (cause you know, duh, it’s a forbidden scroll), you, the prince, are faced with a problem: “How do I know the wizard is really a wizard and not an impostor?” So now, the wizard has to prove to the prince that he is the real deal to get the scroll. How does he do it?
- The wizard writes a letter stating his wizardry number (code hash) and puts a piece of his unique magic robe inside it (secure environment proof)
- He then goes to the King’s official (aws-nitro-enclaves-nsm) inside the castle to get it checked and get the magical royal seal (attestation) on it.
- The wizard sends it to the prince (you), and you see it, and you’re like, “Okay, okay, okay, this seal SEEMS like the real deal, but I need to be sure if it is 100% real before I hand the scroll of forbidden spells to this wizard.”
- Now, the prince remembers that his father, the King of Amulets, handed him an Amulet of truth before he left for his dragon-slaying quest. The Amulet of Truth turns green when hovered over a legitimate royal magic seal, which lets him verify whether the royal seal is legitimate or not.
- Now, via the powers of “Remote Attestations,” you have prevented the evil sorcerer Jinmok Nug from getting his hands on the forbidden spell scroll.
Verifying Oyster attestations
Since we work with TEEs we want to make sure that our users can verify the attestations that are generated within their Oyster enclaves. You too can verify your enclave’s attestation by following these steps:
- Get the IP/URL for your deployed enclave or the attestation hex that you need to verify
- Go to https://hub.marlin.org/oyster/attestation/
- To verify the attestation hex, you just enter it in the textbox under the heading “Paste Hex.”
- For verifying via the URL/IP you need to click the “Attestation URL” tab and enter the full URL where your raw attestation is generated. (Usually, the URL would look something like this https://<your_url_or_ip>/attestation/raw )
- Now just click verify, and you’ll either see an attestation that is verified, along with its PCR values and details such as its module ID along with its certificates, or you’ll know that the attestation is wrong.
- Boom, you just verified that the wizard is indeed telling the truth. Good job, prince.