Replying to Avatar Honza Pobořil

I am sceptical, my bullshit detector beeps.

Secure enclaves are useful in local devices what anyone can audit. Even proprietary iPhones are audited by the great independent hackers what love to get a proof Apple lied.

But how you can be sure that AWS instance actually run some hardware what can guarantee something? How you know you are not talking with emulation of that crypto element? How independent hacker can do his research without operator knowing?
Avatar
Juraj 4mo ago

AWS is probably not the best way to run it. How can you know is when it's attestation by Intel/AMD secure element. At that point, the key is signed by Intel/AMD. And they have no idea what and where is running, it's the processor signing. How can you be sure you are not talking to emulation? As long as you can't extract the key from the chip, or convince Intel to sign bogus key, you're fine. It's not 100% foolproof, but for a Cashu wallet, it's enough.

I would also like to see mints running like this, that would be even better.

Reply to this note

Please Login to reply.

Discussion

Avatar
Juraj 4mo ago

And yes, there are cloud providers that give you CPU attestation, even Amazon, although not through AWS Nitro enclaves:

If you want the hardware (CPU-vendor) to be the root of trust (instead of a cloud-proprietary PKI like AWS Nitro), look for offerings built on Intel SGX/TDX or AMD SEV-SNP. Those produce attestation evidence signed by the CPU vendor’s silicon/firmware keys.

Microsoft Azure — Intel SGX VMs (DCsv series).* SGX quotes are validated against Intel’s root (IAS/DCAP). Microsoft’s Azure Attestation can broker verification, but it explicitly checks that the quote’s trusted root “belongs to Intel.”

Google Cloud — Confidential VMs (AMD SEV-SNP / Intel TDX). You can request an attestation report directly from the AMD Secure Processor (for SNP) or TDX module and verify it against the vendor chain (AMD ARK/ASK or Intel).

AWS — EC2 instances with AMD SEV-SNP. Separate from Nitro Enclaves, EC2 SNP instances expose the AMD-signed attestation report and cert chain (ARK/ASK/VCEK) for you to verify.

Oracle Cloud (OCI) — Confidential Compute (AMD SEV/SEV-SNP). OCI’s confidential VMs run on AMD EPYC; attestation follows the AMD SNP model, i.e., hardware report verifiable against AMD’s KDS certs.

IBM Cloud — Hyper Protect Virtual Servers (IBM Z Secure Execution). Attestation is rooted in IBM’s CPU/platform (vendor hardware trust), not a third-party cloud PKI.

Smaller VPS/bare-metal providers with AMD SEV-SNP also exist; they expose the AMD report so you verify against AMD’s ARK/ASK (example walkthrough shows fetching those from AMD’s KDS).

Rule of thumb: If the service is SGX/TDX or SEV-SNP based, the attestation evidence chains to Intel or AMD. If it’s a proprietary enclave layer (e.g., AWS Nitro Enclaves), attestation chains to the cloud provider’s PKI.