PrivasysAttestation Server
Deploy the Privasys Attestation Server, a lightweight Go service that independently verifies hardware attestation quotes.
The Privasys Attestation Server is a lightweight Go server that verifies hardware attestation quotes from Confidential Computing platforms (Intel TDX, Intel SGX), secured with OIDC bearer token authentication.
Repository: github.com/Privasys/attestation-server
Why Run Your Own?
Quote verification requires collateral: root certificates, certificate revocation lists (CRLs), and TCB (Trusted Computing Base) information that originates from the chip vendor (Intel or AMD). This collateral is publicly available via the vendor's Provisioning Certificate Caching Service (PCCS).
Anyone can run a PCCS and an attestation server using this public collateral. You do not need permission from the chip vendor. Running your own means:
- Independence. No dependency on a third-party verification service.
- Privacy. Quote contents (including measurements and ReportData) never leave your infrastructure.
- Availability. No external service to go down during verification.
Privasys operates its own attestation servers (e.g. as.privasys.org) and provides the server as open-source so anyone can do the same.
Architecture
┌──────────┐ ┌────────────────────────┐ ┌─────────────┐
│ Client │──HTTPS──► │ Caddy (reverse proxy) │──HTTP──► │ Attestation │
│ │ │ (automatic TLS) │ │ Server │
└──────────┘ └────────────────────────┘ │ (:8080) │
└──────┬──────┘
│
┌──────┴──────┐
│ PCCS │
│ (:8081) │
└─────────────┘The server auto-detects the quote type (TDX v4 or SGX v3) from the version field in the raw bytes and routes to the appropriate verifier:
- TDX verified in pure Go using google/go-tdx-guest (signature + certificate chain).
- SGX verified via a pure-Go DCAP v3 quote parser and verifier.
Endpoint
| Method | Path | Role | Description |
|---|---|---|---|
POST | / | attestation-server:client | Verify a hardware attestation quote |
All requests require a valid Authorization: Bearer <OIDC_TOKEN> header.
Building
git clone https://github.com/Privasys/attestation-server.git
cd attestation-server
go build -o dist/attestation-server ./src/Configuration
The server uses an OIDC provider for bearer token authentication. All flags also accept environment variable overrides.
| Flag | Env var | Default | Description |
|---|---|---|---|
--oidc-issuer | OIDC_ISSUER | OIDC issuer URL (required) | |
--oidc-audience | OIDC_AUDIENCE | attestation-server | Expected aud claim |
--oidc-client-role | OIDC_CLIENT_ROLE | attestation-server:client | Required OIDC role |
--oidc-role-claim | OIDC_ROLE_CLAIM | urn:zitadel:iam:org:project:roles | JWT claim key containing roles |
--listen | LISTEN_ADDR | :8080 | Listen address |
Supported role claim formats
The server checks three claim paths (matching Zitadel, Keycloak, and standard OIDC providers):
- Zitadel
urn:zitadel:iam:org:project:roles(map of role to metadata) - Standard
roles(string array) - Keycloak
realm_access.roles(string array)
Running
systemd service
Create /etc/systemd/system/attestation-server.service:
[Unit]
Description=Privasys Attestation Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/opt/attestation-server
Environment=OIDC_ISSUER=https://auth.example.com
ExecStart=/opt/attestation-server/attestation-server
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.targetsudo systemctl daemon-reload
sudo systemctl enable --now attestation-serverView logs:
journalctl -u attestation-server -fVerifying a Quote
Callers must present a valid OIDC bearer token with the attestation-server:client role. Tokens are issued by your OIDC provider (e.g. Zitadel, Keycloak, Auth0).
curl -X POST https://as.privasys.org/ \
-H "Authorization: Bearer <OIDC_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"quote": "<base64-encoded-quote>"}'Response:
{
"success": true,
"status": "OK",
"message": "TDX quote verified (signature + certificate chain)"
}Setting Up the PCCS
The attestation server needs access to a Provisioning Certificate Caching Service (PCCS) to fetch Intel's attestation collateral. You can run the PCCS on the same machine or on a separate server.
Install
sudo apt install -y git nodejs npm libsgx-dcap-quote-verify \
libsgx-dcap-default-qpl libsgx-dcap-ql-dev
# Clone and build Intel PCCS
git clone https://github.com/intel/confidential-computing.tee.dcap.pccs.git ~/pccs-source
cd ~/pccs-source/service
sudo ./install.shConfigure
Edit /opt/intel/sgx-dcap-pccs/config/default.json and set your Intel PCS API key.
Generate PCCS TLS certificate
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /opt/intel/sgx-dcap-pccs/private/private.pem \
-out /opt/intel/sgx-dcap-pccs/private/file.crt \
-subj "/CN=localhost"Start
sudo systemctl enable --now pccsPoint the quote provider at the PCCS
Edit /etc/sgx_default_qcnl.conf:
{
"pccs_url": "https://localhost:8081/sgx/certification/v4/",
"use_secure_cert": false,
"pccs_api_version": "3.1",
"retry_times": 3,
"retry_delay": 3
}Verify connectivity:
curl -k https://localhost:8081/sgx/certification/v4/rootcacrlCaddy Reverse Proxy (optional)
Front the server with Caddy for automatic HTTPS:
sudo apt install caddyEdit /etc/caddy/Caddyfile:
attestation.example.com {
reverse_proxy localhost:8080
}sudo systemctl restart caddyCaddy will automatically obtain a Let's Encrypt certificate for the domain.
Cloud Deployment Guides
For step-by-step instructions on specific cloud providers, see the installation guides in the repository:
Dependencies
| Library | License | Usage |
|---|---|---|
| google/go-tdx-guest | Apache 2.0 | TDX quote parsing and signature verification |
Attested Connections (RA-TLS)
How RA-TLS embeds attestation evidence in X.509 certificates, turning every HTTPS connection into a verifiable proof of what code is running.
Presentation
Enclave OS adds remote attestation and hardware-backed confidentiality to your applications without changing how you build them.