Why verify attestation?

Attestation gives you cryptographic proof that your AI models run in genuine TEE hardware. This ensures no one can tamper with your models or data. Verification confirms the hardware, operating system, and source code are all authentic.

Verify TEE hardware

Start by fetching the attestation report from Phala Cloud’s API. This report contains everything you need to verify both GPU and CPU hardware.

Get the attestation report

Python
import requests

url = f"https://api.redpill.ai/v1/attestation/report?model={model}"
headers = {
    "accept": "application/json",
    "Content-Type": "application/json", 
    "Authorization": f"Bearer {api_key}"
}
response = requests.get(url, headers=headers)
report = response.json()
The response includes three key pieces:
  • nvidia_payload: GPU attestation data for NVIDIA verification
  • intel_quote: CPU attestation quote for Intel TDX verification
  • signing_address: Cryptographic key that signs your AI responses

Verify NVIDIA GPU attestation

Send the NVIDIA payload to their attestation service for verification:
Python
url = "https://nras.attestation.nvidia.com/v3/attest/gpu"
headers = {"accept": "application/json", "content-type": "application/json"}
response = requests.post(url, headers=headers, data=report['nvidia_payload'])
gpu_result = response.json()
The response includes JWT tokens - one for each GPU. Decode them to check attestation results:
Python
# For each GPU token
jwt_payload = parse_jwt_token(gpu_token)
result = jwt_payload.get('x-nvidia-overall-att-result')
print(f"GPU attestation result: {result}")  # Should be 'true'

Verify Intel TDX CPU attestation

Copy the Intel quote and verify it at the TEE Attestation Explorer. Paste the intel_quote value into the verification tool to confirm CPU authenticity.

Verify operating system integrity

Check the event_log in your attestation report. This log contains hashes of every software component loaded during boot. Compare these against known good values to ensure your OS hasn’t been modified. The event log provides a complete chain of trust from hardware boot to application execution.

Verify source code authenticity

The info field contains a hash of your docker compose configuration and application image. Verify this hash matches your expected source code to prevent tampering. This ensures your AI model and its environment match what you deployed originally.

Verify distributed root-of-trust

Phala Cloud uses a KMS with distributed trust. The attestation report includes KMS verification data to confirm no unauthorized access occurred.
Great! You’ve now verified the hardware, OS, and source code. Next, verify response signatures to ensure your AI outputs are authentic.