Description
Zeph currently trusts the Cocoon sidecar implicitly via RA-TLS. There is no mechanism to verify the full attestation chain end-to-end: Zeph → sidecar → TEE worker. This is a compound attestation gap identified in arXiv:2605.03213.
Current State
- Zeph verifies RA-TLS certificate of the sidecar (ensures encrypted channel)
- Zeph does NOT verify that the sidecar itself is running in a TEE or is unmodified
- The sidecar-to-worker attestation is opaque to Zeph
- Documented as Known Limitation in
specs/055-cocoon/spec.md §15.1 and §15.2
- Key Invariant added:
NEVER implement compound attestation verification without upstream sidecar support
Trigger Condition
This issue becomes actionable when the Cocoon sidecar exposes an attestation evidence endpoint (TDX quote, proxy certificate chain, or similar). Monitor:
- Cocoon sidecar release notes
GET /health or GET /stats response schema additions
Proposed Implementation (when trigger fires)
- Query sidecar attestation evidence endpoint on connection
- Verify the evidence chain (TDX quote → PCK cert → Intel SGX root)
- Surface attestation status in TUI and
zeph cocoon doctor
- Config option:
cocoon.verify_attestation_chain = true
Context
Related: #3692, #3677, #3676
Description
Zeph currently trusts the Cocoon sidecar implicitly via RA-TLS. There is no mechanism to verify the full attestation chain end-to-end:
Zeph → sidecar → TEE worker. This is a compound attestation gap identified in arXiv:2605.03213.Current State
specs/055-cocoon/spec.md§15.1 and §15.2NEVER implement compound attestation verification without upstream sidecar supportTrigger Condition
This issue becomes actionable when the Cocoon sidecar exposes an attestation evidence endpoint (TDX quote, proxy certificate chain, or similar). Monitor:
GET /healthorGET /statsresponse schema additionsProposed Implementation (when trigger fires)
zeph cocoon doctorcocoon.verify_attestation_chain = trueContext
specs/055-cocoon/threat-model.md— threat table row T-4 (compound attestation gap)Related: #3692, #3677, #3676