Skip to Content
DocumentationAdvancedTrusted Execution Environment (TEE)

Trusted Execution Environment (TEE)

Alith supports Trusted Execution Environment (TEE) features and provides foundational capabilities for agents operating within a TEE. It enables agents to perform remote attestation to prove their execution within a secure enclave, manage cryptographic keys securely and generate proof.

Requirements

A TEE-enabled environment is required (e.g., Intel TDX) use Phala Cloud for easy deployment.

Of course, Alith supports multiple TEE providers, all of which support managing keys and generating proofs within TEE.

Phala Cloud

Note: we need to enable the phala feature in the alith crate to use this example.

For the deplopment environment, set the environment variable DSTACK_SIMULATOR_ENDPOINT with the simulator: https://github.com/Leechael/tappd-simulator/releases

In production environments, mount the socket file in your docker container:

volumes:
  - /var/run/tappd.sock:/var/run/tappd.sock
use alith::tee::phala::DstackClient;
 
#[tokio::main]
async fn main() -> Result<(), anyhow::Error> {
    let client = DstackClient::default();
    // Derive a key from a key path
    // Returns a key and a certificate chain
    println!(
        "Derive key: {:?}",
        client.derive_key(Some("test"), None, None).await?
    );
    // Get a TDX quote
    println!(
        "Generate report: {:?}",
        client.tdx_quote("test", Default::default()).await?
    );
    Ok(())
}

Marlin

Note: we need to enable the marlin feature in the alith crate to use this example.

Alith Marlin TEE Integration & SDK. This SDK provides a Rust client for communicating with the attestation server.

For local development and testing without TDX devices, you can use the simulator available for download here: https://github.com/marlinprotocol/oyster-monorepo/tree/master/attestation/server-custom-mock and then set the environment variable MARLIN_ATTESTATION_ENDPOINT (Optional, default is http://127.0.0.1:1350)

  • From Source
git clone https://github.com/marlinprotocol/oyster-monorepo
cd oyster-monorepo/attestation/server-custom-mock
 
# Listens on 127.0.0.1:1350 by default
cargo run -r
 
# To customize listening interface and port
cargo run -r --ip-addr <ip>:<port>
  • From Docker
# The server runs on 1350 inside Docker, can remap to any interface and port
docker run --init -p 127.0.0.1:1350:1350 marlinorg/attestation-server-custom-mock
use alith::tee::marlin::{AttestationRequest, MarlinClient};
 
#[tokio::main]
async fn main() -> Result<(), anyhow::Error> {
    let client = MarlinClient::default();
    println!(
        "Generate the attestation with the hex string format: {:?}",
        client
            .attestation_hex(AttestationRequest {
                user_data: Some("test".as_bytes().to_vec()),
                ..Default::default()
            })
            .await?
    );
    Ok(())
}
Last updated on
Chain of Thought (CoT)Data Availability (DA)