Skip to content

Independent Attestation Verification

Never trust, always verify. Don't even take our word for it.

This guide explains how to independently verify AI Passport attestations directly with hardware vendors. You don't need to trust Lucid — you can cryptographically prove that the AI you're using runs in genuine secure hardware.

Why Verify Independently?

Lucid provides attestation verification, but the entire point of hardware-based security is that you don't have to trust anyone. The cryptographic proofs are verifiable against AMD, Intel, and NVIDIA's public root certificates.

Trust Model What You're Trusting
Traditional AI The provider's promises
Lucid-verified Lucid's verification service
Independent verification Only the hardware vendor's cryptography

Independent verification is the gold standard for zero-trust security.

Step 1: Download the Evidence Bundle

First, export the raw attestation evidence from the AI Passport.

Using the CLI

# Export attestation evidence for a passport
lucid passport export pass-abc123 --format=cbor --output=evidence.cbor

# Or export as JSON for inspection
lucid passport export pass-abc123 --format=json --output=evidence.json

Using the API

curl -X GET "https://verifier.lucidcomputing.ai/v1/passports/pass-abc123/evidence" \
  -H "Authorization: Bearer $LUCID_API_KEY" \
  -o evidence.cbor

Using the Observer UI

  1. Open the AI Passport details
  2. Navigate to the "Verify Yourself" page
  3. Click "Download Evidence Bundle"

What's in the Evidence Bundle?

Field Description
quote Raw hardware attestation quote (binary)
certificates Certificate chain from chip to vendor root
report_data Nonce/challenge proving freshness
measurements Software hashes (MRTD, RTMR, etc.)
tcb_info Trusted Computing Base version

Step 2: Verify with Hardware Vendors

AMD SEV-SNP Verification

AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) attestations can be verified using AMD's Key Distribution Service (KDS).

Prerequisites

# Install snpguest (AMD's official verification tool)
cargo install snpguest

# Or use the Rust library directly
cargo add sev

Download AMD Certificates

# Fetch the AMD Root Key (ARK) and AMD SEV Key (ASK)
snpguest fetch ca pem milan ./certs

# Fetch the Versioned Chip Endorsement Key (VCEK) for the specific chip
# The chip_id is in your evidence bundle
snpguest fetch vcek pem milan <chip_id> ./certs

Verify the Attestation

# Verify the attestation report
snpguest verify attestation \
  --report evidence.bin \
  --vcek ./certs/vcek.pem \
  --ask ./certs/ask.pem \
  --ark ./certs/ark.pem

# Check the output:
# ✓ Signature verification passed
# ✓ Certificate chain valid
# ✓ TCB version acceptable

Manual Verification with OpenSSL

# Extract the signature from the report
# (first 512 bytes after the 0x2A0 offset)

# Verify against VCEK public key
openssl dgst -sha384 -verify vcek_pubkey.pem \
  -signature report_signature.bin \
  report_body.bin

AMD KDS Portal

You can also verify certificates manually at AMD's Key Distribution Service:

  • KDS Interface: https://kdsintf.amd.com
  • Certificate Fetch: https://kdsintf.amd.com/vcek/v1/{product_name}/{chip_id}

Intel TDX Verification

Intel Trust Domain Extensions (TDX) attestations are verified using Intel's Provisioning Certification Service (PCS).

Prerequisites

# Install Intel's Quote Verification Library
# Ubuntu/Debian
sudo apt install libsgx-dcap-quote-verify

# Or use the Rust crate
cargo add intel-dcap

Download Intel Certificates

# Fetch the Intel root CA and PCK certificates
# These are embedded in the quote or fetched from PCS

# Intel PCS API endpoint
curl "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert" \
  -H "Content-Type: application/json" \
  -d '{"platformManifest": "...", "cpusvn": "...", "pcesvn": "..."}' \
  -o pck_cert.pem

Verify the Attestation

# Using Intel's verification tool
tdx-cli verify --quote quote.dat

# Expected output:
# Quote verification: PASSED
# TCB Status: UpToDate
# Advisory IDs: None

Programmatic Verification (Rust)

use intel_dcap::quote::Quote;
use intel_dcap::verify::verify_quote;

let quote_bytes = std::fs::read("quote.dat")?;
let quote = Quote::parse(&quote_bytes)?;

let result = verify_quote(&quote, &collateral)?;
assert!(result.is_valid());
println!("MRTD: {:?}", quote.report_body.mr_td);
println!("RTMR[0]: {:?}", quote.report_body.rtmrs[0]);

Intel Trusted Services Portal

  • API Documentation: https://api.trustedservices.intel.com
  • Root CA Certificates: https://certificates.trustedservices.intel.com

NVIDIA GPU Verification

NVIDIA Confidential Computing attestations (H100 and newer) are verified using NVIDIA's Remote Attestation Service (NRAS).

Prerequisites

# Install NVIDIA's attestation SDK
pip install nv-attestation-sdk

# Or use the verification CLI
pip install nvidia-cc-verifier

Verify GPU Attestation

# Verify using NVIDIA's service
nv-attestation verify \
  --evidence gpu_evidence.json \
  --nras-url https://nras.attestation.nvidia.com

# Output:
# GPU Attestation: VALID
# GPU Model: H100
# Driver Version: 535.104.05
# CC Mode: Enabled

Programmatic Verification (Python)

from nv_attestation_sdk import Attestation

# Load evidence
with open("gpu_evidence.json") as f:
    evidence = json.load(f)

# Verify against NVIDIA's service
verifier = Attestation()
result = verifier.verify(
    evidence=evidence,
    nras_url="https://nras.attestation.nvidia.com"
)

if result.valid:
    print(f"GPU: {result.gpu_info.model}")
    print(f"CC Mode: {result.cc_mode}")
    print(f"Measurement: {result.measurement}")
else:
    print(f"Verification failed: {result.error}")

NVIDIA Attestation Portal

  • NRAS Documentation: https://docs.nvidia.com/confidential-computing
  • Verification Service: https://nras.attestation.nvidia.com

Step 3: Verify the Certificate Chain

All TEE attestations include a certificate chain that connects the specific chip to the vendor's root certificate. Verifying this chain proves the quote came from genuine hardware.

Certificate Chain Structure

flowchart TB
    ROOT["<b>Vendor Root CA (ARK)</b><br/>Self-signed, offline"]
    INT["<b>Intermediate CA (ASK/PCK)</b><br/>Signed by Root CA"]
    CHIP["<b>Chip Key (VCEK/TCB)</b><br/>Burned into hardware"]
    QUOTE["<b>Attestation Quote</b><br/>Contains measurements"]

    ROOT -->|signs| INT
    INT -->|signs| CHIP
    CHIP -->|signs| QUOTE

    ROOT -.- N1["Published by AMD/Intel/NVIDIA<br/>(verify against known fingerprint)"]
    INT -.- N2["Vendor signing key"]
    CHIP -.- N3["Unique to this specific chip"]
    QUOTE -.- N4["The evidence you're verifying"]

Verifying the Chain with OpenSSL

# Verify intermediate cert is signed by root
openssl verify -CAfile ark.pem ask.pem
# Expected: ask.pem: OK

# Verify chip cert is signed by intermediate
openssl verify -CAfile ask.pem -untrusted ark.pem vcek.pem
# Expected: vcek.pem: OK

# Verify quote signature with chip cert
openssl dgst -sha384 -verify vcek_pubkey.pem \
  -signature quote_sig.bin quote_body.bin
# Expected: Verified OK

Known Root Certificate Fingerprints

Verify the root certificate against published fingerprints:

Vendor Product SHA-256 Fingerprint
AMD Milan 0x8A:3F:... (check AMD website)
AMD Genoa 0x9B:4E:... (check AMD website)
Intel TDX 0x7C:2D:... (check Intel website)
NVIDIA H100 0x5E:1A:... (check NVIDIA website)

Always verify fingerprints against the vendor's official documentation.

Step 4: Verify Software Measurements

The attestation quote contains cryptographic hashes of the running software. Compare these against known-good values.

Understanding Measurements

Measurement AMD SEV-SNP Intel TDX What It Measures
Launch measurement MEASUREMENT MRTD Initial VM image
Runtime measurement REPORT_DATA RTMR[0-3] Runtime state
Host data HOST_DATA MRCONFIGID Configuration

Comparing Measurements

# Extract measurement from your evidence
jq -r '.measurements.mrtd' evidence.json

# Compare against Lucid's published measurements
curl https://lucidcomputing.ai/measurements/latest.json | \
  jq -r '.environments["env-abc123"].mrtd'

# They should match exactly

Lucid Measurement Registry

We publish all expected measurements for transparency:

  • Measurement Registry: https://lucidcomputing.ai/measurements
  • GitHub: https://github.com/lucid-labs/measurements

Programmatic Verification

Python SDK

from lucid_auditor_sdk import verify_attestation_independently

# Load evidence bundle
with open("evidence.cbor", "rb") as f:
    evidence = f.read()

# Verify directly against hardware vendors (bypasses Lucid)
result = verify_attestation_independently(
    evidence=evidence,
    # These calls go directly to AMD/Intel/NVIDIA, not Lucid
    fetch_certs_from_vendor=True,
    verify_cert_chain=True,
    check_measurements=True
)

print(f"Hardware Verified: {result.hardware_valid}")
print(f"Certificate Chain: {result.chain_valid}")
print(f"Measurements Match: {result.measurements_valid}")
print(f"TEE Type: {result.tee_type}")
print(f"TCB Version: {result.tcb_version}")

Rust Library

use lucid_attestation::{Evidence, verify_independent};

let evidence = Evidence::from_file("evidence.cbor")?;

// Verify against hardware vendor directly
let result = verify_independent(&evidence, VerifyOptions {
    fetch_vendor_certs: true,
    verify_chain: true,
    check_tcb: true,
})?;

assert!(result.is_valid());
println!("TEE: {:?}", result.tee_type);
println!("Measurement: {:?}", result.measurement);

Go Library

import "github.com/lucid-labs/lucid-go/attestation"

evidence, _ := attestation.LoadEvidence("evidence.cbor")

// Verify independently
result, err := attestation.VerifyIndependent(evidence, &attestation.Options{
    FetchVendorCerts: true,
    VerifyChain:      true,
})

if result.Valid {
    fmt.Printf("TEE: %s\n", result.TEEType)
    fmt.Printf("Measurement: %x\n", result.Measurement)
}

Troubleshooting

Common Verification Failures

Error Cause Solution
Certificate chain invalid Outdated root cert Fetch latest from vendor
TCB out of date Old firmware May still be valid, check advisories
Measurement mismatch Different software version Verify against correct expected measurement
Quote expired Stale attestation Request fresh passport
Signature invalid Corrupted evidence Re-download evidence bundle

Debug Mode

# Enable verbose output for debugging
lucid passport verify pass-abc123 --verbose --independent

# This will show:
# - Certificate chain details
# - Measurement comparisons
# - TCB version checks
# - Signature verification steps

Security Considerations

What Independent Verification Proves

  • The attestation came from genuine AMD/Intel/NVIDIA hardware
  • The specific software measurement at attestation time
  • The TCB (firmware) version of the hardware
  • The attestation is fresh (not replayed)

What It Doesn't Prove

  • That the software is still running (attestation is a snapshot)
  • That the software does what it claims (you trust the measurement registry)
  • Protection against hardware vulnerabilities (check vendor advisories)

Best Practices

  1. Verify periodically — Don't just check once
  2. Pin measurements — Store expected values, alert on changes
  3. Check TCB advisories — Hardware vulnerabilities may affect trust
  4. Use multiple verification paths — CLI + programmatic + manual

VAP Startup Handshake Attestation

Verifiable Agent Pods (VAP) introduce an additional attestation flow at agent startup. When a VAP-based agent boots inside a TEE, the following handshake occurs:

Handshake Flow

  1. Agent entrypoint starts inside the TEE pod (injected with CoCo AA sidecar by the Operator).
  2. TEE quote generation: The agent requests a hardware attestation quote from the CoCo Attestation Agent, binding the agent's identity (email, workspace ID) into the quote's report_data field.
  3. Registration request: The agent sends the quote to the Verifier's agent registration endpoint (POST /v1/agents/register) along with its container image digest.
  4. Verifier appraisal: The Verifier validates the hardware quote against the vendor's root certificates (AMD/Intel/NVIDIA), confirms the image digest matches the expected measurement, and binds the agent identity to the attested environment.
  5. Bootstrap token issued: On successful verification, the Verifier issues a short-lived bootstrap token that the agent uses for subsequent API calls. This token is scoped to the agent's identity and automatically refreshes via a heartbeat loop.

TEE Quote Verification for Model Endpoints

When organizations register self-hosted model endpoints, the Verifier performs the same hardware attestation verification used for auditors. The model's TEE quote is validated against vendor root certificates, and the trust tier is recorded in the passport:

Trust Tier Verification
TEE-attested Hardware quote verified -- highest trust. Quote hash + image digest recorded in passport.
mTLS-verified Certificate-based identity, encrypted in transit. mTLS cert fingerprint recorded.
API-key Trust based on API key only -- lowest tier. API key ID + endpoint recorded.

The passport displays trust tier per component, so relying parties can see exactly where each piece of the chain ran (e.g., "PII check ran in TEE, custom auditor ran externally via mTLS, model inference on customer TEE").

This verification can be performed independently using the same tools described in Step 2 above. The agent's TEE quote is included in the evidence bundle alongside auditor quotes.

Further Reading