eat-pass
authorization tokens
privacy pass, gated on hardware attestation
an origin that wants to accept requests only from a genuine, attested build — without learning which client — needs anonymous authorization. eat-pass mints RFC 9578 blind-RSA tokens that are issued only for a request carrying a valid unified-quote attestation for an accepted measurement, and are unlinkable at redemption and spendable once. think Google Aratea / Apple ARC, rooted in the CPU vendor instead of a platform operator.
$ eat-pass demo · issuer → client → origin, in-process
# no network, no tee — the whole flow end to end $ cargo run -p eat-pass-cli -- demo attest PASS · gate PASS · blind-sign PASS · finalize 3 tokens origin token accepted + spent · replay rejected (double-spend)
$ live · token gated on a real azure sev-snp build (in-cvm)
# client inside the CVM binds value_x = channel binding via the vTPM AK quote $ eat-pass issuer --gate azure --allow 41f77fe5…f4fab503 & $ eat-pass token --attest azure --present http://origin/resource [uq/azure] verdict verified · sig PASS · chain PASS # vcek → ask → ark-milan [uq/azure] measurement 41f77fe5…f4fab503 · value_x_bound true minted 1 token(s) present → origin: 200 OK # access granted: attested, unlinkable, one-time
$ key transparency · rotation stays consistent
# clients pin the LOG key (one, long-lived) — not every issuer key $ eat-pass token --kt-log-pub d04ab232… --kt-known-head 0:420245c2… kt OK — issuer key included at seq 1, head signed by pinned key kt OK — log is consistent with previously-seen head seq 0 # post-rotation # /keys/1 still serves the retired key so old tokens still verify
how the binding reaches the silicon
a captured attestation must not be replayable against a different blind request. the per-request channel binding is folded into the hardware quote, so the AMD/Intel signature itself vouches for this issuance:
binding = sha256(blinded token inputs) # per /sign request │ ▼ report_data[0..32] / AK qualifyingData = binding # hardware-signed │ unified-quote verifies → AMD/Intel root ▼ gate accepts measurement → blind-sign # RFC 9474 RSABSSA # result: token issued only for an attested build, unlinkable on redemption
the stack
- authorizationeat-pass (here)
- agent platformcvm-agent
- attestation serviceattestation-service
- quote formatunified-quote
- in-tee runtimeattested-workload
agentic canon
no proof, no privilege.
make behavior enforceable · turn failures into evolution · compose through proofs · carry trust forward.
make behavior enforceable · turn failures into evolution · compose through proofs · carry trust forward.