Skip to main content
Orchestra’s worker runs inside a Trusted Execution Environment. The TEE isolates signing keys so they cannot be extracted, even with root access to the host. You can verify this yourself by requesting a signed attestation document from the API.

Quick check

curl "https://orchestration.flashnet.xyz/v1/attestation?nonce=my-random-value"

{
  "enclave": true,
  "nonce": "my-random-value",
  "document": "<base64-encoded COSE_Sign1 attestation document>"
}
The document field is a COSE_Sign1 structure signed by the Nitro Secure Module (NSM). It chains to AWS’s Nitro Attestation PKI root certificate. The nonce you provide is embedded in the document, proving it was generated fresh for your request. If the worker is not running in an enclave, the endpoint returns enclave: false with an error.

What’s in the attestation document

The COSE_Sign1 document contains a CBOR-encoded payload with:
FieldDescription
module_idEnclave instance identifier
timestampWhen the document was generated (milliseconds since epoch)
pcrsPlatform Configuration Registers (PCR0 = enclave image hash, PCR1 = kernel, PCR2 = application)
nonceYour nonce, echoed back to prove freshness
certificateThe NSM signing certificate (X.509 DER)
cabundleCertificate chain from the NSM cert to the AWS Nitro root CA

Verification steps

1. Decode the document

The document field is base64-encoded. Decode it, then parse as CBOR. The outer structure is COSE_Sign1: [protected_headers, unprotected_headers, payload, signature]. The payload is another CBOR-encoded map containing the attestation fields above.

2. Check the nonce

Extract the nonce field from the payload and confirm it matches what you sent. This proves the document was generated for your specific request, not replayed from an earlier one.

3. Verify PCR values

PCR0 is the hash of the enclave image. Each build produces a deterministic PCR0 value. You can compare it against the expected value to confirm the exact code running inside the enclave. Current PCR values are published by CI after each build and served at the same endpoint.

4. Verify the signature

The COSE_Sign1 signature covers ["Signature1", protected_headers, external_aad, payload]. Verify it using the public key from the certificate field. Then validate the certificate chains through cabundle to the AWS Nitro Attestation PKI root. This confirms the document was produced by a real Nitro Secure Module, not fabricated.

Example: JavaScript verification

import { decode } from "cborg";

const nonce = crypto.randomUUID();
const resp = await fetch(
  `https://orchestration.flashnet.xyz/v1/attestation?nonce=${nonce}`
);
const { document } = await resp.json();

// Decode base64 -> COSE_Sign1 -> payload
const raw = Uint8Array.from(atob(document), (c) => c.charCodeAt(0));
const cose = decode(raw, { useMaps: true });
const payload = decode(cose[2], { useMaps: true });

// Convert to object
const doc = Object.fromEntries(
  [...payload.entries()].map(([k, v]) => [String(k), v])
);

// Verify nonce matches
const returnedNonce = new TextDecoder().decode(doc.nonce);
console.assert(returnedNonce === nonce, "Nonce mismatch");

// Read PCR0 (enclave image hash)
const pcr0 = Array.from(doc.pcrs.get(0))
  .map((b) => b.toString(16).padStart(2, "0"))
  .join("");
console.log("PCR0:", pcr0);

// Certificate chain depth
console.log("Cert chain:", doc.cabundle.length, "certificates");

Why this matters

The attestation document proves three things:
  1. The worker runs in a Nitro Enclave (the NSM signature is unforgeable outside real hardware)
  2. The exact code is what you expect (PCR0 matches the published build hash)
  3. The proof is fresh (your nonce is embedded in the signed document)
No server outside a Nitro Enclave can produce a valid attestation document. The NSM hardware key is sealed inside AWS’s custom silicon and cannot be exported.