Zero-Trust Attestation

TEE
Verification

Independent cryptographic verification of hardware attestation evidence from confidential inference providers. Raw quotes are parsed and verified against vendor roots of trust — no server-side claims are trusted.

107 Total Checks
59 Verified
25 Partial
9 Failed
14 Unreachable
8 TEE-Terminated TLS 52 Attested E2EE 24 TEE-only Gateway
Last checked: Jun 8, 2026, 12:04 PM Methodology: Raw TDX/SNP quotes verified via Intel DCAP quote verification (dcap-qvl) using Intel PCS (default) / AMD KDS VCEK path; compose hashes are recomputed and compared against claimed `tcb_info`; pinned image digests are verified against OCI registries. Hardware-verified checks with incomplete image or Sigstore provenance are reported as partial, not failed. Privatemode public manifests are reference values only and are not counted as verification. Trust model: Zero-trust — verified channels are categorized as TEE-Terminated TLS, Attested E2EE, or TEE-only Gateway

Chutes

4/12
Availability issue The verifier could not fetch fresh evidence for every check in this run.
4 verified 0 partial 0 failed 8 unavailable
Intel TDX Attested E2EE
Hardware 4/12 good Freshness 4/12 good Key binding 4/12 good Workload Not shown Provenance 4/12 good Availability 8 warning
Endpoint unavailable 8
Deepseek Ai/DeepSeek V3.2 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Google/gemma 4 31B Turbo TEE (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 79f42712d2cc61135383a4ec48bd66fac87a114a82709f7315e6ef3977120c056ec93f3c14976f0c3b0ccc2e651fcb87609b924efdb683a1f0d15b3ad9092936
Signature ECDSA-P384 ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol ML-KEM-768 E2E
Signing Key ml-kem-768:c7ee9ef8-e048-4e23-8b7f-797819fe01b5
chute:google/gemma-4-31B-turbo-TEEinstance:c7ee9ef8-e048-4e23-8b7f-797819fe01b5certificate-present:truegpu-evidence-count:1
MiniMaxAI/MiniMax M2.5 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Moonshotai/Kimi K2.5 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Moonshotai/Kimi K2.6 TEE (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data f45d576d284f71a071858584c3527d27ac2f4fecc36d0e051ad9231418a7c80a9ff112ef67b5d8c8d3e5b35da793f6e8ebf2ea43d21397de30db46ee4043a03c
Signature ECDSA-P384 ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol ML-KEM-768 E2E
Signing Key ml-kem-768:cfd9a510-948f-4caf-8496-7f44af774b8b
chute:moonshotai/Kimi-K2.6-TEEinstance:cfd9a510-948f-4caf-8496-7f44af774b8bcertificate-present:truegpu-evidence-count:8
Qwen/Qwen3 235B A22B Thinking 2507 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Qwen/Qwen3 32B TEE (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 8f7b1533157dcc65ee8e0a4cc3fd61533f417738378865dcecec9720b1cd21b9d97802b76c1e85685460bbb91d01c64e623b39a618569d1c509764b988027945
Signature ECDSA-P384 ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol ML-KEM-768 E2E
Signing Key ml-kem-768:13494d77-4c5f-4111-98f5-f57692972a5b
chute:Qwen/Qwen3-32B-TEEinstance:13494d77-4c5f-4111-98f5-f57692972a5bcertificate-present:truegpu-evidence-count:8
Qwen/Qwen3.5 397B A17B TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Qwen/Qwen3.6 27B TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Unsloth/Mistral Nemo Instruct 2407 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Zai Org/GLM 5 TEE (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
Zai Org/GLM 5.1 TEE (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 29e860aac16fa576653370a2303b5d39a916eefac311c40b033682ea4eefd86eee55518f19e02bd7a0e2ae3f706d7b1a127bd1de4744cd57987b7c3ffcb1749d
Signature ECDSA-P384 ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol ML-KEM-768 E2E
Signing Key ml-kem-768:eaeebf5c-677f-445c-8d4c-a8b5fa89aff4
chute:zai-org/GLM-5.1-TEEinstance:eaeebf5c-677f-445c-8d4c-a8b5fa89aff4certificate-present:truegpu-evidence-count:8

Maple

1/1
Fully verified Every check passed its required attestation, channel, and provenance gates.
1 verified 0 partial 0 failed 0 unavailable
Attested E2EE
Hardware 1/1 good Freshness Not shown Key binding 1/1 good Workload Not shown Provenance 1/1 good Availability 1/1 good
No open issues
Maple Enclave (AWS Nitro) Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only

NanoGPT

17+6/28
Hardware verified, provenance incomplete TEE evidence passed, but source or image provenance is not fully pinned for every check.
17 verified 6 partial 0 failed 5 unavailable
TDX + SNP TEE-only Gateway Phala/dstack
Hardware 23/28 good Freshness 11/28 good Key binding 11/28 good Workload 7 bad Provenance 6 warning Availability 5 warning
Image provenance incomplete 6 Endpoint unavailable 5
DeepSeek V3.2 (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
DeepSeek V4 Pro (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 834838d358e090a126a608a1ef01bea07afae3fc6d8f71533d66a2a53b83f750a01290db927a5c92bb9b39d45a02cb19c3d66643baa9dcc8d762518453cf351c
Signature ECDSA-P384 ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Gemma 4 31B (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2a218f267e5099e61f04993b099851c483be1ea7c49278007c7022edc6c8c72712f1e4709a4a6e4b008709b8c42b7751a1afc88f0cf817058b011db2e4a4ea28
Signature ECDSA-P384 ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
GLM 5.1 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data f38f31e20560c8e85ac287f8b38fcadb956b9d9583f3e5b1381c4b9ade8a27bec324ff4f230952be79746aa8da9a85591faf9b507375b9264f48c2493256025e
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
GPT-OSS 120B (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 56d070df1c6be444b007839ef9cf67cec7c12b8b0000000000000000000000001b72d1da83821c5efd58dbebae80ef2a2cc83780f95cf5dbea9004375f7ae0ea
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure Phala/dstack
Kimi K2.6 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data afbe312e74f55dd2737c345908833af721109be9ea007fba372b8b0117334a5af8ff05b30584005072f589ce8cd904306fb6a59a09246864a62af5582c973742
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Llama 3.3 70B (TEE) AMD SEV-SNP TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 281ad7bea31b1c428d5100ee142478e76ab48f091b84e4f9505df75b1cde68840e1d011d09c176637d27a2c2b62406d2d0795f88c0c452b4a9d561d3bbaaea3d
Signature ECDSA-P384 ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Qwen3.5 397B (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
TEE/deepseek V3.1 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 6525e128afcffebf7eed05d485d7be983cdae934000000000000000000000000d39466c22358b6f94fa22730fb2bbb25eff0609d29ac79b14e2687cda0098543
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure Phala/dstack
TEE/deepseek V4 Pro:thinking (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 834838d358e090a126a608a1ef01bea07afae3fc6d8f71533d66a2a53b83f750a01290db927a5c92bb9b39d45a02cb19c3d66643baa9dcc8d762518453cf351c
Signature ECDSA-P384 ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/gemma 3 27b It (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data a6df16ebbc510d97a32b99b4dfd33793acc90e2b0000000000000000000000004abe0dd9356076264de5994eaab24dd1e59fa792ae844755971debae683b643b
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack
TEE/gemma 4 26b A4b Uncensored (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2808450d167d70468c4ea267765a20ccb096319e0000000000000000000000006bcd11028a2b24117394eff7b588314b2300c72756175ca17a208b163830b02d
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack
TEE/gemma 4 31b It (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
TEE/gemma4 31b:thinking (TEE) AMD SEV-SNP TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 9180f72c4a6b51a7a6890d38e3baf6c236dddf99730d23a04a739a6e1e0d60e1b68b37bdae14f66997786c01c159703fb151d0cf26ba4d5f1f8a6e4815c97926
Signature ECDSA-P384 ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/glm 4.7 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data bb4d2e7ffe98eefcd9690e2139be41e92b95e3330000000000000000000000000d453f0fe3f8aed4c3f3d000d0b57659cce61ddfd1637e6cf861ee74cbb9f5ae
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure Phala/dstack
TEE/glm 4.7 Flash (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data ea488405709f71fac7fec9448291da3873cb4d7c00000000000000000000000072c5fe922f1520ba94165e7d01479c942862b45b0f7761c6e8859dfecb5cc9c2
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 6 containers
dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19lmsysorg/sglang:v0.5.10haproxy:2.9-alpinealpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 021bf66a7c9fd4a05031b8fa688834948874631c2ad5b9a2d566b4421b817271
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack
TEE/glm 5 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 9ca8ebb158f6c7a3ef7297bed904345d312f9985a31de1db148f1bc33040df004fa7a3526f31544931333568519ee8dfaee40181bfb19f4a08f82cf30708c7e3
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/glm 5.1 Thinking (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data f38f31e20560c8e85ac287f8b38fcadb956b9d9583f3e5b1381c4b9ade8a27bec324ff4f230952be79746aa8da9a85591faf9b507375b9264f48c2493256025e
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/gpt Oss 20b (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 87bc76587927c685a743beab4fd673f1d3c361cb00000000000000000000000045f99bf6cef64aff6c8b789a59eb268ff0e8be969aaa6c30cf09912008a672d7
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack
TEE/kimi K2.5 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data eb6270f5ae30516dd0f3fd4733b938b3c160d0edc5c5ba546e4cc14115f25abb365c93f3bc5d52c6176a9a2c4922a29674c96ef7ea8c2a2f1e80a8531c67542f
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/kimi K2.5 Thinking (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 9b3c9976db665c9f048bd3674997c61f9c0ddb3d67e12fbf6a5e35d0edbe0a79365c93f3bc5d52c6176a9a2c4922a29674c96ef7ea8c2a2f1e80a8531c67542f
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/minimax M2.5 (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
TEE/qwen2.5 Vl 72b Instruct (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
TEE/qwen3 30b A3b Instruct 2507 (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c03b0cfc81531eb9cffca4c65aabfaf9b181ac63000000000000000000000000e61f476d39d8b3875b3393e9acd06f358b67bd55aac1c2b3facf22031b96a179
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure Phala/dstack
TEE/qwen3.5 122b A10b (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 6525e128afcffebf7eed05d485d7be983cdae93400000000000000000000000094cf2f48e5bedb239aa78861e04e129d65d96836faa03d1e7689c84359dc1d8a
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure Phala/dstack
TEE/qwen3.5 27b (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 78c3eb272f2798599d2643e166c0a78bb7c36b770000000000000000000000001a0e73c6089fada88159971d1004e0191fe44f6bac29312c471e689325113b60
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 7 containers
dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19lmsysorg/sglang:devlmsysorg/sglang:devhaproxy:2.9-alpinealpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image f2e62bc784cc1d7cec9e36ce2e83dce88760de47749a16d660ef6b5d4f97e51d
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack
TEE/qwen3.6 27b (TEE) Intel TDX TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 1e91e3aef741b2846b205b14f1a8a166107760d0719292f2364590f913f689f6c0fded88b6846e7c793d0a74f730172ddf1b62858c0f562fea14edbda8008e31
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
TEE/qwen3.6 35b A3b Uncensored (TEE) Intel TDX TEE-only Gateway Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 4c4e5e69fadffb8e55c306d867dc88792bd3221d000000000000000000000000459203dd1f4e237153bf1974d424a4726fecc10874e3812005891364c5996ec1
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Enclave TLS Pin 2c6f1d204141eedccd3c589ce916e535989285a1b185a112d8ff546c12af2e6a ✗
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts
Infrastructure unknown-dstack

NEAR AI

8/8
Fully verified Every check passed its required attestation, channel, and provenance gates.
8 verified 0 partial 0 failed 0 unavailable
Intel TDX Attested E2EE Phala/dstack
Hardware 8/8 good Freshness 8/8 good Key binding 8/8 good Workload 8/8 good Provenance 8/8 good Availability 8/8 good
No open issues
Gemma 4 31B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2ad96997ac5762e37f81b72c404c21f0d6baa53a9c6b8872113fb42716710b9bfeb2225817720c220024babd8ab5dc021dbebc53b4488d1e7081ce2d955a5bbc
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 2ad96997ac5762e37f81b72c404c21f0d6baa53a9c6b8872113fb42716710b9b
GLM 5.1 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 40ef1aadbb12f26cf4c2d499b9e7a7b043da4388200715abed573fa135a561bbcd198670ed634a97556b925b4e6573767e775301659449c0eceb48ffacad55c3
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 40ef1aadbb12f26cf4c2d499b9e7a7b043da4388200715abed573fa135a561bb
GPT-OSS 120B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 21189bb96e2e0ff7598bd618bed473045cd6da886ddc844dc23f30bd2bfdb62dc15ac26dc6b117ae822458b38a0a5afca93459f2926ea35fa6f84734bac9fecb
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 21189bb96e2e0ff7598bd618bed473045cd6da886ddc844dc23f30bd2bfdb62d
Qwen 3.5 122B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data d0aa20bcf567cc0c7c914608967dbd4c7a17e10b600802d45923434ce323f82370bbc3037c3c1430b2ef36934763606c79a03ccbaeef9010db34a80813ca7072
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key d0aa20bcf567cc0c7c914608967dbd4c7a17e10b600802d45923434ce323f823
Qwen/Qwen3.6 27B FP8 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 052233b7fb537337f2f4f9c8a239297f8a5d8876b2ccce49dfa684bb53361c24072582ae3db5297022eda18e3ab4ef3f4d57796ccd7df7ef2b8d6a6b24fdb00c
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 052233b7fb537337f2f4f9c8a239297f8a5d8876b2ccce49dfa684bb53361c24
Qwen3 30B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 0e404219b15ff256eb82078223a4697d6ebc69d5182dc69a835837bac14f059593e311fe61ed55ed327a6dff9387f987119dba5f2dfc94280453c4a7d3e5e362
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 0e404219b15ff256eb82078223a4697d6ebc69d5182dc69a835837bac14f0595
Qwen3-VL 30B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 31ddf80d420921b91ff4a41d933a15b46a3840e80031804c1c5ba4f25c4e88cc00cc0d83b2e321ca5e42d4df9f78ffcd85f9433b4582e4bf85b62ee45c13048e
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key 31ddf80d420921b91ff4a41d933a15b46a3840e80031804c1c5ba4f25c4e88cc
Qwen3.6 35B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data aba45f0b8f90869baab26db02e8b01354bb8f8730769c60650cb7a635da602d42351d15bf2a9933e4c48483fd60a47e08d32817bd0c7009d5002e6ac8167d86f
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS aaeaf5a20b5bd17c44641be93072b07d48c78588b709d22bfa1690c921320475 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ed25519
Signing Key aba45f0b8f90869baab26db02e8b01354bb8f8730769c60650cb7a635da602d4

PPQ.AI

5+1/6
Hardware verified, provenance incomplete TEE evidence passed, but source or image provenance is not fully pinned for every check.
5 verified 1 partial 0 failed 0 unavailable
AMD SEV-SNP Attested E2EE
Hardware 6/6 good Freshness Not shown Key binding Not shown Workload Not shown Provenance 1 warning Availability 6/6 good
Image provenance incomplete 1
Gemma 4 31B (TEE) AMD SEV-SNP Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 7257e18a0ccd13634515c863ecefe082aca6ecc337f27534caef8e03a9f5032f87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984ghcr.io/tinfoilsh/confidential-gemma4-31b@sha256:083c2dea550f5b1d93ac3ce0bad0e00220f02cc845e1bad1de2f38aeae8aaf84
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key 87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
GLM 5.1 (TEE) AMD SEV-SNP Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 7257e18a0ccd13634515c863ecefe082aca6ecc337f27534caef8e03a9f5032f87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key 87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
GPT-OSS 120B (TEE) AMD SEV-SNP Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data dafe5621ccbe3c5228029634aadaed0cd10b4f04cdf14c25cd86ddd5e15f964eaec7c76b13a09a9ce126486d81918742368fc9d4419dbe8066388da8794fbe17
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key aec7c76b13a09a9ce126486d81918742368fc9d4419dbe8066388da8794fbe17
Kimi K2.6 (TEE) AMD SEV-SNP Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 7257e18a0ccd13634515c863ecefe082aca6ecc337f27534caef8e03a9f5032f87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984vllm/vllm-openai:v0.21.0-ubuntu2404@sha256:b0ac5da3f45ae5bfacb72e69b5bfd6150c22bd9cf4fc2c839400395106a5cc4e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key 87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
Llama 3.3 70B (TEE) AMD SEV-SNP Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data dafe5621ccbe3c5228029634aadaed0cd10b4f04cdf14c25cd86ddd5e15f964eaec7c76b13a09a9ce126486d81918742368fc9d4419dbe8066388da8794fbe17
Signature ECDSA-P384 ✓
Images Verification failed ✗
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key aec7c76b13a09a9ce126486d81918742368fc9d4419dbe8066388da8794fbe17
Qwen3-VL 30B (TEE) AMD SEV-SNP Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 7257e18a0ccd13634515c863ecefe082aca6ecc337f27534caef8e03a9f5032f87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Confidential Channel E2EE to attested enclave key ✓
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
E2EE Protocol hpke
Signing Key 87705a074c23bdd758548815c46e29ad4b8f615771e89c8b9e40a3d79dd75079

Privatemode

6/6
Fully verified Every check passed its required attestation, channel, and provenance gates.
6 verified 0 partial 0 failed 0 unavailable
Attested E2EE
Hardware 6 bad Freshness Not shown Key binding Not shown Workload Not shown Provenance 6/6 good Availability 6/6 good
No open issues
Gemma 4 31b Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only
Gpt Oss 120b Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only
Kimi K2.6 Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only
Qwen3 Embedding 4b Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only
Voxtral Mini 3b Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only
Whisper Large V3 Attested E2EE Details
Verified All required verifier gates passed for this check.
Check Liveness only

Redpill

4+9/23
Critical trust failures At least one check failed a quote, freshness, key-binding, measurement, or policy gate.
4 verified 9 partial 9 failed 1 unavailable
Intel TDX Attested E2EE Phala/dstack
Hardware 22/23 good Freshness 9 bad Key binding 9 bad Workload 9 bad Provenance 18 warning Availability 1 warning
Measurement mismatch 9 Signer not bound 9 Nonce not bound 9 Image provenance incomplete 18
DeepSeek V3.2 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 31525f7d0d2505245310c1a543849c76088da4dd91d39e8c8916f018e5e7e9871fd01859295f376b2cb94b0230b800e1e9c7c653cd81486b0d86885a7d688003
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Gemma 4 31B (TEE) Details
Endpoint unavailable Fresh evidence could not be fetched in this run.
Check No public attestation endpoint
GLM 4.7 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data bb4d2e7ffe98eefcd9690e2139be41e92b95e3330000000000000000000000003459a0e55a734ae112bdaddab1b88f05a7f4e196edd5d79e8ff496d6b7129469
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 2a1c47aad08a4f47dcb67134d77b83d8a1d5c895e37e959189249e819c3939289d8c59acb07d262db3ca946d52c51ae079fde6708cb0af7e25a57d35c8e0ac30
GLM 5.1 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data b59a70e0d6ef482e18e2458fb88339d76d3a3251121788e6f3d3cd32c14d7c857167c3900b2000a8e9d307a2ce2f5254a9c24dd5dba0abd5e25b79f277f57685
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
GPT-OSS 120B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 56d070df1c6be444b007839ef9cf67cec7c12b8b00000000000000000000000058f05667cf4327a08fa1c30c0e86268f8a5ba69a1d427b79dba8435c5a7c2c09
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key a31cdd4f9443ebc31cffffd688621a1807b41c2f02649881d010f881de0a5e94ddec8208161e8fa02ae3748700bf8be3333c9683d6e13e0bbe7e92ee7d2243b8
GPT-OSS 20B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 87bc76587927c685a743beab4fd673f1d3c361cb000000000000000000000000b983c2c089a42229279d8b81836413e6be8cbe7e0984bb6bb9438ab4e09e290f
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 576d32379f00ca0ea695b7075afdf892979b4e97a56bb1484ff8cec956c4a487b7cb73bd0d3c87cca131ac7bb792e86a4f246258a3748e9a25b484b69749fe62
Kimi K2.5 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 3017831ca6e0c37d74358836b7e4563a262785c8442498b6bac443b819656b43365c93f3bc5d52c6176a9a2c4922a29674c96ef7ea8c2a2f1e80a8531c67542f
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Kimi K2.6 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c75f349601ae9e62bbfcc170c820012b7e4a71b02d4a239040f7f81d9093b5f2f4ce20f618ea7000dc9e5412aaedef6d663b8dd81b18fd0800c4cb2665109451
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Phala/deepseek Chat V3.1 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 6525e128afcffebf7eed05d485d7be983cdae934000000000000000000000000e0bdb9b75b779feefae699e6cd38cee0b6783d6239608cb5d810c0a50232b7ad
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 1d9bbc96671c3fbc983867bd7a6b5c83298e040801764b7085352d84f3f095125db36956caed8c84bfefca635c3c455f409c79a3889d679af688f4aded542fd5
Phala/gemma 3 27b It (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data a6df16ebbc510d97a32b99b4dfd33793acc90e2b000000000000000000000000df7157b0722079a713e747a469ae2d715f7f09b0830c126e8e7c9a6014bfc0b1
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 1978320ac2396640cc00f05313f920c34fce8e684daec4d4932feb1f2f51d42fa06fe9a1dfd0113089165acdb573115fb93fc87af11d58eb14431cd6dc82df1d
Phala/gemma 4 26b A4b Uncensored (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2808450d167d70468c4ea267765a20ccb096319e0000000000000000000000002445a2a967d5767bb2b7ec60c195776112f6717a8f685ec5351bc44a30e95c1b
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 1860d4f8c6e7effe4bab1d006a70bd06aa77e758aec0333fb09d2e4ebfaa1def47856afd418f45192de93ab7b3a3eb2b0c6b11f77cf52dc6b8996f937723f507
Phala/glm 4.7 Flash (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data ea488405709f71fac7fec9448291da3873cb4d7c000000000000000000000000e64df0c8342765f050a8aff6bd0a868e97342351aa8cdc4ec1f696993a71913c
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 6 containers
dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19lmsysorg/sglang:v0.5.10haproxy:2.9-alpinealpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 021bf66a7c9fd4a05031b8fa688834948874631c2ad5b9a2d566b4421b817271
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key f6687f1cc4018685d1c91febd24702fbba0837d4a1c5b581cea347b635f021ed3d9905d90224a820160c99123ccc8c2117c707e388b6a099059d91f9603f4686
Phala/glm 5 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 243752efd433874aa5366c43bfd034997a7ec1537fb603929781c077fdef81374fa7a3526f31544931333568519ee8dfaee40181bfb19f4a08f82cf30708c7e3
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Phala/minimax M2.5 (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2b693ec5c49b047f321f5187188f7d1578a443c42ec818c225bf074e7c2ae432f65ca24c15e79b7a74eeaa8e75da0ee23dc51987b190ced7bfeb2489dbb06e36
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Phala/qwen2.5 Vl 72b Instruct (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data a10befbf9cbef57f58a3a85ac9b6b9f5b6cffdda0000000000000000000000001b8c4b0be7a8b4ccb95167ed556af92436d2dd8eadc48c8ce7b7dea9c8841f22
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2haproxy:2.9-alpinepython:3.10-slimvllm/vllm-openai:v0.10.2dstacktee/vllm-proxy:v0.2.19alpine:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key ebfcaac2df73f15c9d60a76bf03078ba3c93b8b6c44f039570a5d0223201fc82887770f8ebce89f12a4b0ce541af84b67b7e4e02b204b202e3131359ba13c1e4
Phala/qwen3.5 27b (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 78c3eb272f2798599d2643e166c0a78bb7c36b770000000000000000000000003c34757b09b4308b96f1a663556bc2b638f31b7e38a6391546d4969a38c5bf54
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 7 containers
dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19lmsysorg/sglang:devlmsysorg/sglang:devhaproxy:2.9-alpinealpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image f2e62bc784cc1d7cec9e36ce2e83dce88760de47749a16d660ef6b5d4f97e51d
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 7e36fe3fcb4910bd3d8cd20a4f7402088e7822b62b1f41a5fa230e19df8feef4c4e45ddfa32817976da90b15f0c36e82a04da2bc6c6858e8689b5f1d2924b0b7
Phala/qwen3.6 27b (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data ea47bc869520e96d86a8a96b17598b053fc0bde2a137ddfc2df795a8d2c2ac28c0fded88b6846e7c793d0a74f730172ddf1b62858c0f562fea14edbda8008e31
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Phala/qwen3.6 35b A3b Uncensored (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 4c4e5e69fadffb8e55c306d867dc88792bd3221d0000000000000000000000004f9addefcdbe49786a1c836982935d313d4b6d5106c28caefb1a342424e5303b
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 9964ea48411266957c8cc1fd0c641ba5b97a4d31784dd2428fd047d58c30a5d31db3521036726942e39b6748c811c1d17341d7b2d2bda16a6d5ca68a9ab0d9fe
Phala/uncensored 24b (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 337f14bbaeaddfd6f7c9a0722f3d06574674c4260000000000000000000000003632f397187da18e92b38f46aa010da0a8d1fb4b9fceb92ee6aa9b031958ce4d
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 16 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latesthaproxy:2.9-alpinealpine:latestalpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 021bf66a7c9fd4a05031b8fa688834948874631c2ad5b9a2d566b4421b817271
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key b94aa42e7d246bc8b3763858fa5d57e899f9b11bbd5a57583b892a2c532eafc7ed0d52a9c7c3339488efd9eec3c944fb2533358fbff8e892d418daf0ff5bd39d
Qwen 2.5 7B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c577686b28bd33181132ed2df44f9712315834ce000000000000000000000000024c836f4cbeeb6e4c58d5e84a02d1fae2cf1aa574d3025174f1f7df95ba05db
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2haproxy:2.9-alpinepython:3.10-slimvllm/vllm-openai:v0.10.2dstacktee/vllm-proxy:v0.2.19alpine:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 22facc52ae9742acbfeb2e9d03620d08464d69734b4c3c9fbbf65f11177894d659cc8510cb67f0d7694f5ed4342777b7873dc85c94edaad0b7fb68bb23f2d290
Qwen3 30B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c03b0cfc81531eb9cffca4c65aabfaf9b181ac63000000000000000000000000d9073574a3969fe6ceab559ed75e9333e07f1946932f706e0fd456ab8db9f57b
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key d33af782492ec889abc0b0a30a065bb7c06d898c0982dbd27e10d7eb9640f169f76d6ffbef9562583b225367d0262ff06750ad710aa6bc1c557662c8905783d6
Qwen3-VL 30B (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 15c6552c60ebfcbb6ca7fa9acc54355ac379d87f25d7051ad3d26d9cae1a21337120bc5b3c14e6e7fda9b9b0645d880538571fb258b04afa8505f6f06373a80b
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified
Qwen3.5 397B (TEE) Intel TDX Details
Measurement mismatch The measured deployment could not be tied to the expected workload configuration.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 3879b0779968422272744ffa25f876dc8949f8f0e9a9edbb41c35d4299fd495358b782abceee6679e504b57ee7bbfbd76c364f56d0c8d6b0a68df8b81b4db6c6
Signature ECDSA-P384 ✓
Compose Hash Mismatch ✗
Nonce Bound No ✗
Enclave TLS Pin ffe9580f917878c208fd0f404c2bf1f683acd351ee8ecf6604f642dbe5cd4bf6 ✗
Security Model No Verified Channel
What This Means No hardware attestation verified

Tinfoil

8+1/9
Hardware verified, provenance incomplete TEE evidence passed, but source or image provenance is not fully pinned for every check.
8 verified 1 partial 0 failed 0 unavailable
TDX + SNP TEE-Terminated TLS TEE-only Gateway
Hardware 9/9 good Freshness Not shown Key binding 8/9 good Workload Not shown Provenance 1 warning Availability 9/9 good
Image provenance incomplete 1
DeepSeek V4 Pro Intel TDX TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 834838d358e090a126a608a1ef01bea07afae3fc6d8f71533d66a2a53b83f750a01290db927a5c92bb9b39d45a02cb19c3d66643baa9dcc8d762518453cf351c
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.7
Sigstore Repo tinfoilsh/confidential-deepseek-v4-pro
Enclave TLS Pin 834838d358e090a126a608a1ef01bea07afae3fc6d8f71533d66a2a53b83f750 ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
Gemma 4 31B Intel TDX TEE-Terminated TLS Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 6d5a6e2b36158b0de2149ca9270f4bcb0f5212611f4fdb83d752eefe5f4154aacf7d4a95b2115f3cabd41e48dab32ba86c580427dc3b22f318e8db713aed2644
Signature ECDSA-P384 ✓
Images Verification failed ✗
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.17
Sigstore Repo tinfoilsh/confidential-gemma4-31b
Enclave TLS Pin 6d5a6e2b36158b0de2149ca9270f4bcb0f5212611f4fdb83d752eefe5f4154aa ✓
ghcr.io/tinfoilsh/confidential-gemma4-31b@sha256:083c2dea550f5b1d93ac3ce0bad0e00220f02cc845e1bad1de2f38aeae8aaf84
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
GLM 5.1 Intel TDX TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data f38f31e20560c8e85ac287f8b38fcadb956b9d9583f3e5b1381c4b9ade8a27bec324ff4f230952be79746aa8da9a85591faf9b507375b9264f48c2493256025e
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.9
Sigstore Repo tinfoilsh/confidential-glm5-1
Enclave TLS Pin f38f31e20560c8e85ac287f8b38fcadb956b9d9583f3e5b1381c4b9ade8a27be ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
GPT-OSS 120B Intel TDX TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 8d76f170e82d1fee347996dd1dfccbadca299e48bd80a8ff2456224052a2b41482eaf549b1464fed82c64bf625a923f9a85aaf8ade0d16bceb5fb6a125f26b5b
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.26
Sigstore Repo tinfoilsh/confidential-gpt-oss-120b
Enclave TLS Pin 8d76f170e82d1fee347996dd1dfccbadca299e48bd80a8ff2456224052a2b414 ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
GPT-OSS Safeguard 120B AMD SEV-SNP TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 8dff9ead5e54f3905e0325f557ea51f2a7daf89f989e424b73919669373d4a1e6668665ddbf0541157ffb70e94f438ba3d34a6551112ee09e42393b9450cb031
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.8
Sigstore Repo tinfoilsh/confidential-gpt-oss-safeguard-120b
Enclave TLS Pin 8dff9ead5e54f3905e0325f557ea51f2a7daf89f989e424b73919669373d4a1e ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
Kimi K2.6 Intel TDX TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 9a7d2b270f3ff4bf1b960e79a00e1b7ab9ebb44f6336c0f3dba10d40fabec120462c96eadb43f5e8e96c1cbe2fa8bca28b5aaa31fed56c053ac98a495b2b8f11
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.3
Sigstore Repo tinfoilsh/confidential-kimi-k2-6-b200
Enclave TLS Pin 9a7d2b270f3ff4bf1b960e79a00e1b7ab9ebb44f6336c0f3dba10d40fabec120 ✓
vllm/vllm-openai:v0.21.0-ubuntu2404@sha256:b0ac5da3f45ae5bfacb72e69b5bfd6150c22bd9cf4fc2c839400395106a5cc4e
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
Llama 3.3 70B AMD SEV-SNP TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data 281ad7bea31b1c428d5100ee142478e76ab48f091b84e4f9505df75b1cde68840e1d011d09c176637d27a2c2b62406d2d0795f88c0c452b4a9d561d3bbaaea3d
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.25
Sigstore Repo tinfoilsh/confidential-llama3-3-70b
Enclave TLS Pin 281ad7bea31b1c428d5100ee142478e76ab48f091b84e4f9505df75b1cde6884 ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
Qwen3-VL 30B Intel TDX TEE-Terminated TLS Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 15c6552c60ebfcbb6ca7fa9acc54355ac379d87f25d7051ad3d26d9cae1a21337120bc5b3c14e6e7fda9b9b0645d880538571fb258b04afa8505f6f06373a80b
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.21
Sigstore Repo tinfoilsh/confidential-qwen3-vl-30b
Enclave TLS Pin 15c6552c60ebfcbb6ca7fa9acc54355ac379d87f25d7051ad3d26d9cae1a2133 ✓
vllm/vllm-openai:v0.22.0@sha256:0fec7ec5f3e6bc168e54899935fb0557da908a4832a1dbc88e2debcf2f889416
Security Model TEE-Terminated TLS
What This Means TLS terminates inside the attested TEE; certificate key is bound to report_data
Router AMD SEV-SNP TEE-only Gateway Details
Verified All required verifier gates passed for this check.
Quote AMD SEV-SNP (VCEK)
Policy 0x30000
Report Data dafe5621ccbe3c5228029634aadaed0cd10b4f04cdf14c25cd86ddd5e15f964eaec7c76b13a09a9ce126486d81918742368fc9d4419dbe8066388da8794fbe17
Signature ECDSA-P384 ✓
Images Registry verified ✓
Sigstore Bundle Crypto Verified ✓
Measurements Match ✓
Release v0.0.106
Sigstore Repo tinfoilsh/confidential-model-router
Enclave TLS Pin 3d47e93ba9cfa10f1eed509ae3717dbf965bb21645dd77ca4d57a51dccd22129 ✗
Version v0.0.106
ghcr.io/tinfoilsh/confidential-model-router@sha256:08313282f9eaf987ebe71b4c84fcddd1ba280308395ab5ce7c1a3f70ead4f984
Security Model TEE-only Gateway
What This Means Model runs in TEE but gateway sees plaintext prompts

Venice.ai

6+8/14
Hardware verified, provenance incomplete TEE evidence passed, but source or image provenance is not fully pinned for every check.
6 verified 8 partial 0 failed 0 unavailable
Intel TDX Attested E2EE unknown-dstack
Hardware 14/14 good Freshness 14/14 good Key binding 14/14 good Workload 14/14 good Provenance 8 warning Availability 14/14 good
Image provenance incomplete 8
E2ee Gemma 4 26b A4b Uncensored P (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 2808450d167d70468c4ea267765a20ccb096319e0000000000000000000000007d853586212b36fc5397499ef4dacd8b5b329b64c19e51e91f283b16211776ef
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 041860d4f8c6e7effe4bab1d006a70bd06aa77e758aec0333fb09d2e4ebfaa1def47856afd418f45192de93ab7b3a3eb2b0c6b11f77cf52dc6b8996f937723f507
E2ee Glm 4 7 Flash P (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data ea488405709f71fac7fec9448291da3873cb4d7c0000000000000000000000001baac7301d32364492d8cb1facf81c90b832f4052111acf24e48a130634435e6
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 6 containers
dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19lmsysorg/sglang:v0.5.10haproxy:2.9-alpinealpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 021bf66a7c9fd4a05031b8fa688834948874631c2ad5b9a2d566b4421b817271
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 04f6687f1cc4018685d1c91febd24702fbba0837d4a1c5b581cea347b635f021ed3d9905d90224a820160c99123ccc8c2117c707e388b6a099059d91f9603f4686
E2ee Qwen3 6 35b A3b Uncensored P (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 4c4e5e69fadffb8e55c306d867dc88792bd3221d0000000000000000000000005276de8bfd3d16bc86f35b5375eb314fd47a4cf9b90840c5ba77bbcd32ae0c03
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 9 containers
python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestalpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 0e09f2bcb510c682b461d16b97192c710886db582852991e05146291063f890b
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 049964ea48411266957c8cc1fd0c641ba5b97a4d31784dd2428fd047d58c30a5d31db3521036726942e39b6748c811c1d17341d7b2d2bda16a6d5ca68a9ab0d9fe
E2ee Venice Uncensored 24b P (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 337f14bbaeaddfd6f7c9a0722f3d06574674c426000000000000000000000000923d433e054be2b8c886ae319b52f2c57649958e3e4807b375e5cedadddffbef
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 16 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latesthaproxy:2.9-alpinealpine:latestalpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image 021bf66a7c9fd4a05031b8fa688834948874631c2ad5b9a2d566b4421b817271
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 04b94aa42e7d246bc8b3763858fa5d57e899f9b11bbd5a57583b892a2c532eafc7ed0d52a9c7c3339488efd9eec3c944fb2533358fbff8e892d418daf0ff5bd39d
Gemma 3 27B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data a6df16ebbc510d97a32b99b4dfd33793acc90e2b000000000000000000000000e2ade4909caddb97c656dd330bbe2ca1421e7dac0849a463a3e7070ed606fd09
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 041978320ac2396640cc00f05313f920c34fce8e684daec4d4932feb1f2f51d42fa06fe9a1dfd0113089165acdb573115fb93fc87af11d58eb14431cd6dc82df1d
Gemma 4 31B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 9765596f43dd91d1467f9a370682173741786d8c000000000000000000000000b63a7fa28a78578e1717801c1f066160431979929ca4a8f66856d59228b8a53c
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 04323149efe98c490b9b44b517b3bd599defd1ad5a61f580ca27bfd3daedd3333eddd6e40663c9a79556897ddf9ecf9dfb937ebd3cfbac512d2a7620b3c2df09d2
GLM 4.7 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data bb4d2e7ffe98eefcd9690e2139be41e92b95e33300000000000000000000000015b7cb1f849af58e8ddef66cfbf039daa8f7308e3d31daa569171571b096e909
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 042a1c47aad08a4f47dcb67134d77b83d8a1d5c895e37e959189249e819c3939289d8c59acb07d262db3ca946d52c51ae079fde6708cb0af7e25a57d35c8e0ac30
GLM 5.1 (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data bb4d2e7ffe98eefcd9690e2139be41e92b95e33300000000000000000000000020a96f9ad3b4f4374cd987926d76b493a5b0566d49618f15b42bb3605b7c234e
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 042a1c47aad08a4f47dcb67134d77b83d8a1d5c895e37e959189249e819c3939289d8c59acb07d262db3ca946d52c51ae079fde6708cb0af7e25a57d35c8e0ac30
GPT-OSS 120B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 56d070df1c6be444b007839ef9cf67cec7c12b8b0000000000000000000000004aafaabf71d8adc4c82933dd2597dae0e2f3c16bde93c47ddf2cfaf024ef4672
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 04a31cdd4f9443ebc31cffffd688621a1807b41c2f02649881d010f881de0a5e94ddec8208161e8fa02ae3748700bf8be3333c9683d6e13e0bbe7e92ee7d2243b8
GPT-OSS 20B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data 87bc76587927c685a743beab4fd673f1d3c361cb0000000000000000000000003555c24a61b32a1e292b2d1a412c6de8517616b5098cb465e9f209d139718ec9
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2python:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latestpython:3.10-slimdstacktee/vllm-proxy:v0.2.19vllm/vllm-openai:v0.10.2alpine:latesthaproxy:2.9-alpine
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 04576d32379f00ca0ea695b7075afdf892979b4e97a56bb1484ff8cec956c4a487b7cb73bd0d3c87cca131ac7bb792e86a4f246258a3748e9a25b484b69749fe62
Qwen 2.5 7B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c577686b28bd33181132ed2df44f9712315834ce00000000000000000000000001f6692c8cbc03059cf5be6e4eb18c62cd6ce47ee0400a92cfa39144ecdab05e
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2haproxy:2.9-alpinepython:3.10-slimvllm/vllm-openai:v0.10.2dstacktee/vllm-proxy:v0.2.19alpine:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 0422facc52ae9742acbfeb2e9d03620d08464d69734b4c3c9fbbf65f11177894d659cc8510cb67f0d7694f5ed4342777b7873dc85c94edaad0b7fb68bb23f2d290
Qwen3 30B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data c03b0cfc81531eb9cffca4c65aabfaf9b181ac63000000000000000000000000e695d3899337bf7fdb481e0b516337584e6383072bcf67900b48efc8077e46ae
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:5165400d9eb43ab5da36986a85de0ba55f3fb4d05211c4397ecc4bde3ef0113bnearaidev/compose-manager-launcher@sha256:d652f92b64f57ef8aa086bd77a4cf932c1976965b3cea2814a7ee82fe73aa993
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 04d33af782492ec889abc0b0a30a065bb7c06d898c0982dbd27e10d7eb9640f169f76d6ffbef9562583b225367d0262ff06750ad710aa6bc1c557662c8905783d6
Qwen3 35B (TEE) Intel TDX Attested E2EE Details
Verified All required verifier gates passed for this check.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data e5d0fec43b001f181a3410b96715ec54171f36da00000000000000000000000084b126b01fe180566315049530922a49d7834b2f6e19f905e3865cc9490459e9
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Images Registry verified ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
App dstack-nvidia-0.5.5
Images 5 containers
datadog/agent@sha256:5556fb80b952832719a76b016f905616c76ee0989a239c4680c6220148e865d6certbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbcertbot/dns-cloudflare@sha256:742dbd2e61c8709b930712c38958386c3cb3928e09eeb1f1e490600c127e2edbnearaidev/compose-manager@sha256:44aa2344d68609700074a8076ed177bb1989c7f5fd1e175a13084d512be475e9nearaidev/compose-manager-launcher@sha256:171c1cffea23625628fc11038a590173745d83e3570d855e53ab5a91279f95bf
RTMR0 bc122d143ab768565ba5c3774ff5f03a63c89a4df7c1f5ea38d3bd173409d14f8cbdcc36d40e703cccb996a9d9687590
OS Image 9b69bb1698bacbb6985409a2c272bcb892e09cdcea63d5399c6768b67d3ff677
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure Phala/dstack
E2EE Protocol ecdsa
Signing Key 0489f03d8ed945eff27ad1053f87ece198409aff78c5c2aea3e438c460482f67ff5b900054dc129f6ce57e40e8875ceac0ddf30aeb885c28fd2c3e05bf3fbaa4d9
Qwen3-VL 30B (TEE) Intel TDX Attested E2EE Details
Image provenance incomplete Hardware evidence passed, but one or more container image pins could not be verified.
Quote Intel TDX (DCAP QVL)
TCB Level status=UpToDate, advisories=[]
Report Data a10befbf9cbef57f58a3a85ac9b6b9f5b6cffdda00000000000000000000000011b0912c266ead78dd67022fe876295522c4cd83578957c73398dfbb6fa70534
Signature ECDSA-P384 ✓
Compose Hash Verified ✓
TCB Consistent sha256 match ✓
Confidential Channel E2EE to attested enclave key ✓
Signer Bound Yes ✓
Nonce Bound Yes ✓
Gateway TLS 08b9c0d165fbf3433870dc1c22a118da08eed65ae58aa4950fdf8dd21e98e70b (external termination)
Images 11 containers
dstacktee/dstack-ingress:1.2dstacktee/dstack-ingress:1.2haproxy:2.9-alpinepython:3.10-slimvllm/vllm-openai:v0.10.2dstacktee/vllm-proxy:v0.2.19alpine:latestpython:3.10-slimvllm/vllm-openai:latestdstacktee/vllm-proxy:v0.2.19alpine:latest
RTMR0 6ffe4a2c12f07eccb857f70f370a5af848a7062905cd95adc43abb1f62c39e330aa3c8aeb8f162656c025f3f527600f1
OS Image e3e677dd53901c4b12ad202fedded37687944d00f9176a26605894400121bb3e
Security Model Attested E2EE
What This Means Payloads are encrypted to an attested enclave key; gateway TLS termination is expected
Infrastructure unknown-dstack
E2EE Protocol ecdsa
Signing Key 04ebfcaac2df73f15c9d60a76bf03078ba3c93b8b6c44f039570a5d0223201fc82887770f8ebce89f12a4b0ce541af84b67b7e4e02b204b202e3131359ba13c1e4

Shared Infrastructure

These providers share the same physical TEE infrastructure:

Phala/dstack NanoGPT · NEAR AI · Redpill · Venice.ai
unknown-dstack NanoGPT · Redpill · Venice.ai
unknown-dstack NanoGPT · Redpill · Venice.ai
unknown-dstack NanoGPT · Redpill · Venice.ai
unknown-dstack NanoGPT · Redpill
unknown-dstack Redpill · Venice.ai
unknown-dstack Redpill · Venice.ai

Verification Methodology

Tinfoil Enclaves

Fetches .well-known/tinfoil-attestation from each enclave. The response contains a gzipped, base64-encoded hardware quote. For TDX enclaves, the quote is verified through Intel DCAP Quote Verification Library (dcap-qvl) using Intel PCS collateral (override via PCCS_URL if needed). For SNP enclaves, the report is verified against AMD KDS VCEK certificates with builtin ARK/ASK roots. TLS certificate SPKI fingerprints are compared to the attested report_data.

Venice.ai / Redpill / NEAR AI (dstack)

All three providers use the same dstack attestation format. Venice returns a direct attestation; Redpill and NEAR AI return a two-layer format (gateway + model attestations). In all cases, the raw intel_quote hex is parsed as a TDX quote and verified via dcap-qvl using Intel PCS collateral (or PCCS_URL override). The quote-bound tcb_info.app_compose hash is recomputed and compared to tcb_info.compose_hash; when compose-manager actions_hash evidence is present, that is recomputed too. Provider server_verification and verified fields are completely ignored.

NVIDIA GPU Attestation

GPU evidence payloads are submitted to NVIDIA's NRAS (NVRemote Attestation Service) which returns a signed JWT. The JWT signature is verified against NRAS's JWKS, the issuer is pinned to nras.attestation.nvidia.com, and the eat_nonce is checked against the request nonce. NRAS currently rejects dstack/Phala GPU evidence (unsupported architecture), so GPU verification is reported separately from TDX.

Chutes / Maple / Privatemode / Other Providers

Chutes is verified by fetching a live TEE chute's evidence endpoint, verifying the Intel TDX quote with dcap-qvl, and checking that report_data binds the verifier nonce plus the ML-KEM E2E public key. Maple is verified only when its AWS Nitro attestation document passes certificate-chain, COSE signature, nonce, and public-key checks. Privatemode is verified through the local Privatemode proxy path; its public Contrast manifest alone is reference material. PPQ is not counted as verified from liveness alone.