E2E TEE Verification

Problem Statement

There are few resources for comprehensive, end-to-end verification of TEEs. This is the start of a project to create a fully verifiable TEE build on TDX and Nitro, that any user can replicate for themselves in 60 minutes, so they can go from application code to machine image measurements and verifying the certificate chain.

Solution

These are mostly setup scripts for TEE DevOps. TDX verification requires getting an API key via email from Intel, which wasn't feasible after the end of the business week. Switched to Nitro which is a more integrated system, but has a different enclave architecture where enclaves talk to an EC2 machine over vsock (which is supported inconsistently). Certificate verification is similar across both platforms.