Security and verification

TEE.

Five-vendor TEE attestation. Real hardware integration with simulation fallback for development.

STATUS: Testnet
CRATE: tenzro-tee
STABILITY: Stable
REFERENCE: TEE

Vendors

Intel TDX        /dev/tdx-guest, Intel PCS verification
AMD SEV-SNP      /dev/sev-guest, AMD KDS VCEK chain
AWS Nitro        /dev/nsm, NSM CBOR + COSE_Sign1 ES384
NVIDIA GPU CC    NVIDIA NRAS HTTP API, JWT + SPDM
Intel Tiber      Tiber Trust Authority hosted EAT

Enclave encryption

AES-256-GCM via the shared enclave_crypto.rs module. Keys derived with HKDF-SHA256 and a per-vendor domain tag. Wire format: nonce(12) || ciphertext || tag(16).

Hybrid ZK-in-TEE

Enclaves can prove a STARK and sign the commitment with a PQ-hybrid composite key (Ed25519/Secp256k1 + ML-DSA-65). Both legs must validate.

CLI

tenzro tee detect
tenzro tee attest --vendor intel-tdx

TEE attestation→
ZK→

← All docs