TEE & Privacy
Remote attestation, model integrity, log redaction, and encrypted model loading
TEE & Privacy
A3S Power is designed to run inside Trusted Execution Environments (TEE) with hardware-enforced memory encryption. This page covers the privacy and attestation features.
TEE Detection
Power auto-detects the TEE environment at startup:
Prop
Type
Enable TEE mode in config:
tee_mode = true
redact_logs = trueOr via environment:
A3S_POWER_TEE_MODE=1 a3s-power serve
# Development simulation:
A3S_TEE_SIMULATE=1 a3s-power serveModel Integrity Verification
When tee_mode = true and model_hashes is configured, Power verifies every model file's SHA-256 hash at startup. The server refuses to start if any model fails verification.
tee_mode = true
model_hashes = {
"llama3.2:3b" = "sha256:a1b2c3d4e5f6..."
"qwen2.5:7b" = "sha256:def456..."
}INFO TEE mode enabled tee_type="sev-snp"
INFO Model integrity verified model="llama3.2:3b"
INFO All model integrity checks passed count=2Remote Attestation
GET /v1/attestation generates a cryptographic proof that inference is running inside a genuine TEE.
# Basic attestation
curl http://localhost:11434/v1/attestation
# With client nonce (prevents replay attacks)
curl "http://localhost:11434/v1/attestation?nonce=deadbeef01234567"
# Bind to a specific model (ties attestation to model SHA-256)
curl "http://localhost:11434/v1/attestation?model=llama3.2:3b"When ?model=<name> is provided, the report_data layout is [nonce(32 bytes)][model_sha256(32 bytes)] — cryptographically tying the attestation to the specific model being served.
{
"tee_type": "sev-snp",
"report": "<base64-raw-report>",
"report_data": "<hex-64-bytes>",
"measurement": "<hex-48-bytes>",
"timestamp": "2026-02-21T00:00:00Z"
}Returns 503 if TEE is not enabled.
Log Redaction
When redact_logs = true, the PrivacyProvider strips inference content from all log output:
// Before redaction:
{"content": "tell me a secret", "model": "llama3"}
// After redaction:
{"content": "[REDACTED]", "model": "llama3"}Redacted JSON keys: content, prompt, text, arguments, input, delta, system, message, query, instruction.
Error messages that echo prompt content are also sanitized. When suppress_token_metrics = true, token counts in responses are rounded to the nearest 10 to prevent exact token-count side-channel inference.
Memory Zeroing
All inference buffers are wrapped in SensitiveString which auto-zeroizes on drop. Model weights are zeroed when a model is unloaded or evicted.
Encrypted Model Loading
Model files can be encrypted with AES-256-GCM. Power decrypts them at load time and securely wipes the plaintext on unload.
# Key from file
model_key_source = { file = "/secure/model.key" }
# Key from environment variable
model_key_source = { env = "MODEL_DECRYPT_KEY" }
# Decrypt entirely in mlock-pinned RAM (never writes plaintext to disk)
in_memory_decrypt = trueKey Rotation
key_provider = "rotating"
key_rotation_sources = [
{ env = "MODEL_KEY_NEW" },
{ env = "MODEL_KEY_OLD" }
]Deploy the new key, call rotate_key(), then remove the old key — zero downtime.
RA-TLS Transport
When ra_tls = true, the TLS certificate includes the TEE attestation report as a custom X.509 extension (OID 1.3.6.1.4.1.56560.1.1). Clients can extract and verify this extension to confirm they are communicating with a genuine TEE before trusting inference output.
tee_mode = true
tls_port = 11443
ra_tls = trueRequires the tls feature: cargo build --features tls.
Vsock Transport
For a3s-box MicroVM deployments, Power can listen on an AF_VSOCK socket instead of (or in addition to) TCP. This enables guest-host communication without any network configuration inside the VM.
vsock_port = 4088Requires the vsock feature (Linux only): cargo build --features vsock.
Health Status
The /health endpoint exposes TEE status:
{
"status": "ok",
"version": "0.2.0",
"uptime_seconds": 120,
"loaded_models": 1,
"tee": {
"enabled": true,
"type": "sev-snp",
"models_verified": true
}
}