Client Implementation
Frontends interface with the Private Ephemeral Rollup (PER) using three concepts: attestation, client challenges, and access tokens.- Attestation: Verify the RPC is running on secure hardware by sending a challenge and validating the returned TDX quote.
- Client Challenges: Prove ownership of a public key to obtain an authorization token for permissioned state.
- Access: Provide the token as a query parameter when constructing a connection to query state.
Attestation
The frontend performs Intel TDX quote verification to attest that the ER server runs on genuine secure hardware. This is executed viaverifyTeeRpcIntegrity
.
- Generate a random 32-byte challenge and encode it as base64
- Send the challenge to the TEE RPC server to receive a TDX quote
- Fetch collateral (certificates) via PCCS for the quote
- Verify the quote using the DCAP QVL WASM module against the collateral and current time
Client Challenge Flow
- Request a challenge from the RPC, parameterized by the wallet public key
- Sign the received challenge using the corresponding keypair
- Submit the signed challenge and receive an authorization token on success
Access
Pass the authorization token as a query parameter when creating a connection.TEE Ephemeral Rollup DevNet endpoint: https://tee.magicblock.app/