Skip to content

Add Proxy-Based Attestation and aTLS Overview #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
FilipCivljak wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Proxy-Based Attestation and aTLS Overview #31

FilipCivljak wants to merge 3 commits into from

Conversation

@FilipCivljak
Copy link

@FilipCivljak FilipCivljak commented Dec 25, 2025

Type of PR

Documentation update – adds explanation of Cube AI attestation, Attested TLS (aTLS), and Local Proxy-based attestation.

What this does

  • Adds a general overview of attestation and why it matters
  • Explains how Cube AI uses Attested TLS (aTLS) for secure communication
  • Details how the Local Proxy automates attestation for users
  • Describes attestation policy verification and security guarantees
  • Improves clarity and readability of the attestation documentation

Related Issues

  • NOISSUE (documentation improvement)

Tests

  • No, this PR only updates documentation

Notes

SammyOina
SammyOina requested changes Jan 12, 2026
View reviewed changes
docs/attestation.md Outdated
aTLS is a standard TLS connection augmented with a **hardware-backed attestation report** proving that the remote service is running inside a **Trusted Execution Environment (TEE)**.

During startup:
In Cube AI, the Embeddings Service acts as the TLS server and extends its **X.509 certificate** with an attestation report generated by the underlying TEE (e.g. AMD SEV-SNP).
Copy link
Contributor

@SammyOina SammyOina Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we dont have an "embeddings service"

docs/attestation.md Outdated
---

## Why Attestation Matters
## Local Proxy-Based Attestation
Copy link
Contributor

@SammyOina SammyOina Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

our proxy sits on the cloud, users don't deploy it. atls can be verifid through audit logs and attestation can be still fetched directly using proxy

docs/attestation.md
The Local Proxy enforces an **attestation policy** that defines the expected properties of the TEE.

### 🔹 Attestation Endpoint
This policy includes:
Copy link
Contributor

@SammyOina SammyOina Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

insert a sample attestation policy json file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SammyOina SammyOina SammyOina requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FilipCivljak @SammyOina