feat(server): implement tee info and attestation endpoints

Author: fbozic

Cargo.lock

@@ -106,9 +106,11 @@ clap = "4.4.18"
 serial_test = "3.2"
 color-eyre = "0.6.2"
 comfy-table = "7.0"
+configfs-tsm = "0.0.2"
 const_format = "0.2.32"
 curve25519-dalek = "4.1.3"
 dashmap = "6.1.0"
+dcap-qvl = "0.3"
 dirs = "5.0.1"
 ed25519-consensus = "2.1.0"
 ed25519-dalek = "2.1.1"
@@ -168,6 +170,8 @@ starknet-types-core = "0.2.0"
 strum = "0.26.2"
 syn = { version = "2.0", features = ["full"] }
 tempdir = "0.3.7"
+tdx-quote = "0.0.4"
+tdx_workload_attestation = "0.1.0"
 thiserror = "1.0.56"
 thunderdome = "0.6.1"
 tokio = "1.47.1"

Cargo.toml

@@ -10,6 +10,7 @@ publish = true
 
 [dependencies]
 axum = { workspace = true, features = ["multipart", "ws", "tokio"] }
+base64.workspace = true
 eyre.workspace = true
 futures-util.workspace = true
 hex.workspace = true
@@ -36,6 +37,10 @@ calimero-primitives.workspace = true
 calimero-server-primitives.workspace = true
 calimero-store = { workspace = true, features = ["serde"] }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+configfs-tsm.workspace = true
+tdx_workload_attestation = { workspace = true, features = ["tdx-linux"] }
+
 [dev-dependencies]
 color-eyre.workspace = true
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }

crates/server/Cargo.toml

@@ -1069,3 +1069,75 @@ impl SyncContextResponse {
         Self { data: Empty {} }
     }
 }
+
+// -------------------------------------------- TEE API --------------------------------------------
+
+#[derive(Debug, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TeeAttestRequest {
+    /// Client-provided nonce for freshness (32 bytes as hex string)
+    pub nonce: String,
+    /// Optional application ID to include in attestation
+    /// If provided, the application's bytecode BlobId (hash) will be included in report_data
+    pub application_id: Option<ApplicationId>,
+}
+
+impl TeeAttestRequest {
+    pub fn new(nonce: String, application_id: Option<ApplicationId>) -> Self {
+        Self {
+            nonce,
+            application_id,
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TeeInfoResponseData {
+    /// Cloud provider (e.g., "gcp", "azure", "unknown")
+    pub cloud_provider: String,
+    /// OS image name (e.g., "ubuntu-2404-tdx-v20250115")
+    pub os_image: String,
+    /// MRTD extracted from TD report (48 bytes hex)
+    pub mrtd: String,
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TeeInfoResponse {
+    pub data: TeeInfoResponseData,
+}
+
+impl TeeInfoResponse {
+    pub fn new(cloud_provider: String, os_image: String, mrtd: String) -> Self {
+        Self {
+            data: TeeInfoResponseData {
+                cloud_provider,
+                os_image,
+                mrtd,
+            },
+        }
+    }
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TeeAttestResponseData {
+    /// Base64-encoded TDX quote
+    /// The quote contains the report_data which the client must verify
+    pub quote_b64: String,
+}
+
+#[derive(Debug, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct TeeAttestResponse {
+    pub data: TeeAttestResponseData,
+}
+
+impl TeeAttestResponse {
+    pub fn new(quote_b64: String) -> Self {
+        Self {
+            data: TeeAttestResponseData { quote_b64 },
+        }
+    }
+}

crates/server/primitives/src/admin.rs

@@ -9,3 +9,4 @@ pub mod list_versions;
 pub mod packages;
 pub mod peers;
 pub mod proposals;
+pub mod tee;

crates/server/src/admin/handlers.rs

@@ -0,0 +1,11 @@
+use axum::routing::{get, post};
+use axum::Router;
+
+mod attestation;
+mod info;
+
+pub fn service() -> Router {
+    Router::new()
+        .route("/info", get(info::handler))
+        .route("/attest", post(attestation::handler))
+}