attestation

The protocol that turns “trust me, this is running inside a TEEⓘTEEidentity-trustA hardware-isolated CPU region where code and data are protected from inspection by the host OS, used to run inference in a way the operator cannot read or modify. Chat about this → Open full entry →” into “here is a hardware-signed measurement of exactly what is running.” The CPU produces a quote (signed by a hardware-rooted key) containing the hash of the currently-loaded code and configuration. A relying party verifies the signature against the hardware vendor’s certificate chain and checks the hash against an expected value.

For AI inferenceⓘinferenceruntimeRunning a trained model to produce outputs (tokens, images, embeddings) from inputs at serving time, as distinct from the gradient updates of training. Chat about this → Open full entry → the attestation chain proves that: the expected model weights are loaded, the expected runtime version is running, the expected privacy-preserving configuration is in effect, and no other code is in the TEEⓘTEEidentity-trustA hardware-isolated CPU region where code and data are protected from inspection by the host OS, used to run inference in a way the operator cannot read or modify. Chat about this → Open full entry →. Without attestation, a TEE is just an opaque box.

The user experience of attestation is one of the rougher parts of confidential AI today. Comparing a hardware measurement to a public reproducible-build hash is involved enough that most users delegate to the application layer’s UI or a verifier service (Marlin TEE-Verifier, hosted attestation endpoints exposed by Apple PCC, Phala, AWS Nitro, Google Confidential Computing). The underlying primitive is sound; the verification tooling is still maturing.