Attestable MCP
by
attestable-mcp-server is an MCP (Model Context Protocol) server designed to run within a Trusted Execution Environment (TEE). Its primary function is to enable remote attestation, allowing MCP clients to verify the integrity and authenticity of the server's running code before establishing a connection.
Attestable MCP Overview
What is attestable-mcp-server?
attestable-mcp-server is an MCP (Model Context Protocol) server designed to run within a Trusted Execution Environment (TEE). Its primary function is to enable remote attestation, allowing MCP clients to verify the integrity and authenticity of the server's running code before establishing a connection. This is achieved by generating a certificate during the TLS handshake that contains an SGX quote and evidence claims, proving that the server is running the intended and untampered code.
How to use attestable-mcp-server?
To use attestable-mcp-server, you'll typically follow these steps:
- Dependencies: Ensure you have Intel SGX Hardware, Gramine, Python 3.13, Ubuntu 22.04, and Intel SGX SDK & PSW installed.
- Build: Use the provided
uv syncanddocker buildcommands to create the Docker image. The project leverages Gramine for building the server within a TEE. - Generate Keys: Generate a private key using
gramine-sgx-gen-private-key. - Gramine Build: Utilize the
gsctool (Gramine Shielded Containers) to build the Gramine base and then theattestable-mcp-server. - Sign Image: Sign the built image using
gsc sign-image. - Run Server: You can run the server on secure hardware or a local development machine using
docker runcommands provided in the quickstart section.
Key Features of attestable-mcp-server
- Remote Attestation: MCP Clients can remotely verify the code running on any MCP Server, ensuring its integrity and authenticity.
- Trusted Execution Environment (TEE) Integration: The server runs within a TEE (e.g., Intel SGX via Gramine), providing a secure environment for code execution.
- RA-TLS Protocol: Utilizes RA-TLS (Remote Attestation TLS) for secure client-server communication and attestation.
- SGX Quote Embedding: The generated certificate embeds an SGX quote and evidence claims, including a "pubkey-hash" claim for verifying the ephemeral public key.
- Optional Client Attestation: MCP Servers can optionally remotely attest MCP Clients.
- Signed Artifacts: The project uses GitHub Actions to build a Docker container and generate a signed attestation of the code running inside the TEE, which is then signed by GitHub.
Use Cases of attestable-mcp-server
- Secure MCP Server Deployment: Deploying MCP servers in environments where verifying the server's code integrity is crucial.
- Confidential Computing: Enabling confidential computing scenarios where sensitive data processing requires assurance that the code is untampered.
- Blockchain and Decentralized Applications: Providing a verifiable and trusted backend for decentralized applications that rely on secure server interactions.
- Financial Services: Ensuring the integrity of financial transaction processing servers.
- Critical Infrastructure: Deploying secure servers for critical infrastructure where unauthorized code modifications could have severe consequences.
FAQ about attestable-mcp-server
Q: What is remote attestation? A: Remote attestation is a process where a client can verify that the code running on a remote server is the intended and untampered code. This is achieved by leveraging trusted hardware features and cryptographic proofs.
Q: What is a Trusted Execution Environment (TEE)? A: A TEE is a secure area within a processor that provides a higher level of security than the rest of the system. It ensures the confidentiality and integrity of code and data loaded within it.
Q: What is RA-TLS? A: RA-TLS (Remote Attestation TLS) is an extension to the TLS protocol that incorporates machine and code-specific measurements, allowing clients to verify the integrity of the server during the TLS handshake.
Q: What are SGX quotes? A: SGX (Software Guard Extensions) quotes are cryptographic proofs generated by Intel SGX enclaves that attest to the integrity of the code and data running within the enclave.
Q: Can I independently verify the signed artifacts? A: Yes, the project states that you can independently generate the same values with or without secure hardware and query their running server to get the same values, allowing for independent verification of the signed artifacts.
Attestable MCP's README
➡️ attestable-mcp-server
remotely attestable MCP server
Overview
This project contains an MCP Server that is remotely attestable by MCP clients. To achieve this, a trusted execution environment is used, which generates a certificate representing the currently-running code of the attestable-mcp-server. The attestable-mcp-server sends this certificate in the TLS handshake to an MCP client before connecting that proves the code it's running is the same code built on github actions, and can be independently validated by building and running the code locally on emulated hardware or secure hardware; these values will be the same. The protocol used for client <-> server remote attestation is RA-TLS, an extension to TLS that adds machine and code specific measurements that can be verified by an MCP client.
The most important concept behind this RA-TLS certificate is that it embeds an SGX quote in the standardized X.509 extension field with the TCG DICE "tagged evidence" OID, which in turn embeds the SGX report and the complete Intel SGX certificate chain. In addition to the SGX quote, the certificate also contains the evidence claims, with the most important one being the "pubkey-hash" claim that contains the hash of the ephemeral public key (in DER format) generated by the TEE of the memory image of the running MCP server.
Features
- MCP Clients can remotely attest the code running on any MCP Server
- MCP Servers can optionally remotely attest MCP Clients
Producing Signed Artifacts
The github action script in this repo runs on a self-hosted github runner inside of a trusted execution environment (TEE). The action script will build a docker container containing the attestable-mcp-server and generate a signed attestation of the code running inside the TEE. This docker image is then signed by github. You can independently generate the same values with or without secure hardware, and query our running server and get the same values.
Dependencies
- Intel SGX Hardware
- Gramine
- python 3.13
- Ubuntu 22.04
- Intel SGX SDK & PSW
Quickstart
uv sync
docker build -t attestable-mcp-server .
gramine-sgx-gen-private-key
git clone https://github.com/gramineproject/gsc docker/gsc
cd docker/gsc
uv run ./gsc build-gramine --rm --no-cache -c ../gramine_base.config.yaml gramine_base
uv run ./gsc build -c ../attestable-mcp-server.config.yaml --rm attestable-mcp-server ../attestable-mcp-server.manifest
uv run ./gsc sign-image -c ../attestable-mcp-server.config.yaml attestable-mcp-server "$HOME"/.config/gramine/enclave-key.pem
uv run ./gsc info-image gsc-attestable-mcp-server
Starting Server on Secure Hardware
docker run -itp --device=/dev/sgx_provision:/dev/sgx/provision --device=/dev/sgx_enclave:/dev/sgx/enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p 8000:8000 --rm gsc-attestable-mcp-server
Starting Server on local development machine
docker run -p 8000:8000 --rm gsc-attestable-mcp-server
TODO
- add MCP client demonstrating ra-tls
- add intel-signed measurements from our github action to this readme for simple independent verification
Future Plans
- JSON Web Key (JWK) attestation claim validation
cobrowser.xyz
Attestable MCP Reviews
Reviews feature coming soon
Stay tuned for community discussions and feedback
Actions
Attestable MCP's Information
- Author
- co-browser
- Category
- Identity & Security
- Language
- Python
- Stars
- 13
- Updated
- about 1 month ago