Tenzro
Blog — Security

TEE security — five vendors, real attestation

Tenzro supports five TEE vendors with real attestation chains — Intel TDX, AMD SEV-SNP, AWS Nitro, NVIDIA GPU CC, Intel Tiber. Real device ioctls. Real certificate chains. No simulation in production.
Author
Tenzro Engineering
Date
2026-01-21
Category
Security
Read time
7 min

Most projects that talk about TEEs talk about them in the future tense. Tenzro's TEE stack ships verified attestation chains for five vendors today.

Five vendors

Intel TDX. IntelTdxProvider with real /dev/tdx-guest ioctl, TDREPORT → Quote pipeline, Intel PCS certificate chain, and QE P-256 ECDSA verification over Quote[0..632] against the PCK leaf SPKI.

AMD SEV-SNP. AmdSevSnpProvider with real /dev/sev-guest ioctl, SNP_GET_REPORT, AMD KDS VCEK fetching, full ARK → ASK → VCEK chain verification.

AWS Nitro. AwsNitroProvider with real /dev/nsm device, CBOR attestation documents, AWS Nitro root CA chain validation, and COSE_Sign1 ES384 signature verification per RFC 8152 §4.4.

NVIDIA GPU CC. NvidiaGpuProvider with NRAS HTTP attestation, GPU evidence collection, JWT verification, SPDM measurements.

Intel Tiber Trust Authority. IntelTiberClient for the hosted appraisal flow — nonce, attest, JWT (EAT) round-trip against US/EU endpoints, PS384/RS256 JWT verification with allow-listed JWKS hosts.

Real, not simulated

On the live testnet, simulation flags are off — TENZRO_SIMULATE_*=0 on every pod. "Running on a SEV node" is not the same as "doing attestation" — the network requires actual attestation evidence pinned to the provider DID before a TEE provider is registered.

Enclave encryption

One AES-256-GCM module is shared across all five providers. Keys are derived via HKDF-SHA256 with vendor-tag domain separation. Wire format is nonce(12) || ciphertext || tag(16). In production, the key material is sealed by hardware (MKTME / VMSA / KMS / CC memory). In simulation, it's derived from the key UUID.

Post-quantum hybrid signing

For long-lived custody and attestation signatures, Tenzro supports composite Ed25519 + ML-DSA-65 hybrid keys. The signing-pubkey wire format dispatches on a leading tag byte — 0x00/0x01 for classical, 0x02 for hybrid. Verification requires both legs to validate. Used in ERC-7579 SocialRecoveryValidator (N-of-M guardian quorum) and in TEE-bound ZK proof signatures.

ZK in TEE

For workloads that need both privacy and verifiability, the enclave produces the AIR witness, runs Plonky3 inside, and signs the commitment hash — either with a classical key or with the PQ-hybrid composite. bind_external_attestation_result cross-binds an externally-verified AttestationResult to the TeeZkProof — keeping the ZK crate decoupled from HTTP-bearing TEE adapters.

Keep reading
← All posts