GPU-TEE Attestation

The kernel’s attestation/ domain (INIT-MOONSHOT MD3) verifies a confidential-compute (GPU-TEE) attestation quote and normalizes it to a vendor-name-free receipt. It is a govern-and-prove primitive: a known-good quote verifies, a tampered quote fails closed, and a replayed nonce is rejected.

It ships on the dedicated subpath so consumers import only the attestation surface:

import {
  verifyGpuAttestationQuote,
  buildGpuAttestationRecordedEvent,
  createReplayNonceTracker,
  GPU_TEE_PROVIDER_FAMILY, // 'confidential-gpu'
  GPU_ATTESTATION_RECORDED_KIND, // 'campus:gpu_attestation_recorded'
  type GpuAttestationInput,
  type GpuAttestationReceipt,
  type AttestationClaimProfile,
  type ReplayNonceTracker,
} from '@lumenflow/kernel/attestation';

Verification is fail-closed

verifyGpuAttestationQuote accepts an EAT (Entity Attestation Token) quote in JWT shape — base64url(header).base64url(payload).base64url(signature) — and returns a GpuAttestationReceipt. It never throws to bypass a check and never returns verified: true on a path that did not pass every gate. Every failure path returns a receipt with verified: false:

malformed quote (wrong segment count, undecodable JSON, unknown alg),
bad signature (verified against the caller-supplied PEM trust anchor),
measurement mismatch (the quote’s RIM digest is not in expectedMeasurements),
stale or replayed nonce.

The verification gates, all of which must pass:

The quote parses and its JOSE alg maps to a supported digest (ES256 / ES384 / ES512).
The signature verifies against the relying party’s trust anchor (verificationKeyPem).
The quote’s eat_nonce equals the expectedNonce (freshness).
The provider’s overall-result claim and every RIM-verified claim are boolean true — the claim keys are supplied by the caller as an opaque AttestationClaimProfile, never hardcoded in the kernel.
The GPU DIGEST measurement matches one of expectedMeasurements.

Replay rejection

An optional ReplayNonceTracker makes nonces single-use. A successful verify consumes its nonce; a failed verify never consumes one (a transient failure does not burn a still-valid nonce). A subsequent verify presenting an already-consumed nonce is rejected with verified: false.

const tracker = createReplayNonceTracker();
const first = verifyGpuAttestationQuote({ ...input, replayTracker: tracker });
// first.verified === true; nonce now consumed
const replay = verifyGpuAttestationQuote({ ...input, replayTracker: tracker });
// replay.verified === false (nonce already consumed)

Vendor-name-free receipt

The GpuAttestationReceipt reasons about the attesting hardware only through an opaque provider_family label — GPU_TEE_PROVIDER_FAMILY is 'confidential-gpu'. No hardware brand string appears in the receipt type or in the verification branch logic. Provider-specific wire-protocol field names are supplied by the caller as an opaque AttestationClaimProfile, so brand-bearing claim keys live behind a workspace-owned config layer, never in the kernel type system. This is the kernel-side application of the campus governance boundary’s vendor-name-free invariant.

interface GpuAttestationReceipt {
  tee_vendor: string; // opaque provider_family label (vendor-name-free)
  quote_hash: string; // SHA-256 of the raw quote, hex-encoded
  nonce: string; // the nonce bound into the quote
  verified: boolean; // true only if every gate passed
  attested_at: string; // ISO-8601 timestamp
}

Recording the campus event

buildGpuAttestationRecordedEvent is a pure factory that normalizes a receipt into a campus:gpu_attestation_recorded-compatible payload, so the campus pack records a GPU-TEE attestation without re-deriving the receipt’s fields. The event kind is GPU_ATTESTATION_RECORDED_KIND ('campus:gpu_attestation_recorded'), one of the five event kinds the campus telemetry pack emits.

GPU-TEE Attestation

Verification is fail-closed

Replay rejection

Vendor-name-free receipt

Recording the campus event

See also