Overview
Attestation in Continuum is a cornerstone of the platform's security architecture, ensuring that all AI workloads are executed in a trusted environment. This process verifies the integrity and authenticity of AI workers and the underlying infrastructure before any data processing begins. By leveraging attestation, Continuum guarantees that only verified and trusted code can operate, safeguarding both the confidentiality and integrity of your data.
Attestation flow in Continuum
The attestation process in Continuum is designed to provide end-to-end security. Verification of attestation evidence is always based on a manifest. Both the client and the attestation service need to have a manifest configured before they can verify attestation data. The steps to verify a Continuum cluster are as follows:
-
Client request: The process begins when client software sends a request to the Continuum platform, including a demand for attestation. The client verifies the identity and integrity of the attestation service by comparing its hardware attestation report against the client's manifest that contains the expected reference values. The client also verifies that the manifest configured in the attestation service is identical to its own. Once the client confirms the attestation service's integrity, it securely transmits the encryption keys to the attestation service.
-
Attestation service verification: The attestation service verifies the AI worker's integrity by comparing their attestation report against the configured manifest. The attestation service ensures that only AI workers complying with the manifest are allowed to be part of the Continuum cluster.
-
Key distribution: Once the attestation service confirms the AI worker's integrity, it securely grants them access to the necessary encryption keys. The client-side initially encrypts the prompt and sends it to the AI worker. This attestation-based key release ensures that the AI worker can decrypt and process the data only within a verified, trusted environment.
-
Data processing: With successful attestation and key distribution, the AI worker processes the encrypted data within the sandbox of its confidential VM. This guarantees that all operations are conducted in a trusted and protected environment, maintaining the security and integrity of the entire process.
Components of attestation
-
Manifest: The manifest is a detailed record that lists the expected measurements and configurations for the attestation service and the AI workers. It serves as a reference point for a client to verify the attestation service and for the attestation service to verify the AI worker's environment before any data processing begins. By ensuring that only trusted configurations are allowed to execute, the manifest forms a critical part of Continuum's security model.
-
Encryption and key management: Continuum tightly integrates encryption and key management with attestation. Encryption keys are distributed to AI workers only after successful attestation, ensuring that data remains protected at all times. This process guarantees that sensitive data is accessible only to verified and trusted workers, with keys securely transferred from the client to the attestation service and then to the AI worker.
-
Trust anchors: Trust anchors are the fundamental elements in the attestation process, providing the necessary foundation for establishing a chain of trust. These include hardware-based roots of trust and predefined reference values, ensuring that only known and trusted entities can process sensitive data.
Chain of trust
In summary, there's a chain of trust based on cryptographic signatures that goes from the user to the AI worker via the attestation service. This is illustrated in the following diagram.