python3 (3.8+), docker, openssl, dig, and optionally cosign and cast (from Foundry).
1. Verify the TDX attestation quote (Platform)
What this checks: Is the server running on real Intel TDX hardware? The TDX attestation quote is like a hardware-signed certificate of authenticity — Intel’s chips sign a statement about what software is running, and this step verifies that signature is genuine. Fetch the attestation from the live API and run the official dstack verifier. This validates the Intel TDX quote signature (proving genuine hardware), replays the RTMR3 event log (proving no events were tampered with), and checks OS measurements. Save the Python script below asfix-attestation-event-log.py, then run the verification commands.
The dstack guest-agent strips digests from RTMR3 runtime events to reduce response size. The fix script recomputes them as
SHA384(event_type || ":" || event || ":" || payload). The Docker verifier’s parser rejects empty digests, so this preprocessing step is necessary.Why are there two TDX quotes? This guide verifies two separate TDX quotes from the same CVM:
/attestation(Step 1) returns a fresh TDX quote for validating RTMR measurements and the software stack. ItsreportDatais unused (all zeros)./evidences/quote.json(Step 3) returns a separate TDX quote generated by dstack-ingress, wherereportDatacontainsSHA-256(sha256sum.txt)— binding the TLS certificate checksums to the TEE hardware.
2. Verify the application code (Application)
What this checks: Is the TEE running the exact code you expect, with no modifications? This step verifies the Docker images and their configuration match what was built in CI from the public GitHub repository.LIT-Protocol/chipotle repo:
The
dstack-ingress image is a third-party dependency from the dstack project. It is Sigstore-signed from the dstack GitHub org, not from Lit’s. To verify it, use --certificate-identity-regexp "https://github.com/Dstack-TEE/dstack/.*" with the same OIDC issuer. See the dstack documentation for details on their signing and release process.3. Verify TLS terminates in the TEE (Network)
What this checks: Was the TLS certificate generated inside the TEE? This confirms your encrypted connection goes directly into the secure hardware — no proxy or intermediary can see your traffic. Lit Chipotle uses dstack-ingress for custom-domain TLS. Unlike the default dstack gateway (which embeds cert hashes directly in the CVM’s boot-time TDX quote viareportData), dstack-ingress runs as an application container and generates a separate TDX evidence quote after obtaining the Let’s Encrypt certificate. This evidence quote binds the certificate to TDX hardware through a checksum chain:
- dstack-ingress obtains a Let’s Encrypt cert via DNS-01 inside the TEE
- It computes
SHA-256of each evidence file (cert PEM, ACME account) →sha256sum.txt - It computes
SHA-256(sha256sum.txt)and requests a TDX quote with this hash asreportData - The evidence files and quote are served at
/evidences/on the custom domain
The CAA records on the gateway domain restrict certificate issuance to specific ACME account URIs. Verify that the ACME account URI from
/evidences/acme-account.json matches one of the accounturi= values in the CAA records. If they don’t match, it means this CVM’s ACME account is not authorized by the DNS policy to obtain certificates for this domain.4. Verify on-chain governance (Governance)
What this checks: Was the code running in the TEE authorized through on-chain governance? The compose-hash (a fingerprint of the entire application configuration) must be registered in a smart contract on Base before the CVM will accept it. This means deploying new code requires an on-chain transaction — you can audit the full history on Basescan. The compose-hash must be registered in the DstackApp smart contract on Base before the CVM will accept it. A separate Phala KMS contract whitelists allowed OS images and KMS instances. You can inspect both on Basescan. Finding the DstackApp contract address: The DstackApp contract is the on-chain governance contract that authorizes what code the CVM can run. To find the correct address for a given CVM:- Go to the Phala Cloud dashboard and look up the application by its
app_id(available fromGET /info). The dashboard shows the associated DstackApp contract address. - Verify the contract is the one your CVM is attached to by checking the
app_idin the/inforesponse matches the app registered in the contract on Basescan.
0x3F91Deaf16FF7C823eE65081d6bAFA1cEea05FfC (matches the app_id returned by GET /info). The Phala KMS contract is 0x2f83172A49584C017F2B256F0FB2Dca14126Ba9C.
0xF688411c0FFc300cAb33EB1dA651DBb3E6891098) on Base. This Safe administers:
- DstackApp (
0x3F91Deaf16FF7C823eE65081d6bAFA1cEea05FfC) — compose-hash whitelisting for the Lit Chipotle CVM - Phala KMS (
0x2f83172A49584C017F2B256F0FB2Dca14126Ba9C) — KMS configuration and allowed OS images - AccountConfig — details coming soon