Livy Flow
Public verification model for Livy attestations and provenance.
Scope
This page describes the public Livy verification model:
livy-teefor quote generation and local verification helpers.- A Livy runtime that executes compute and emits proofs.
- Intel Trust Authority (ITA) for quote appraisal and signed token issuance.
Users should not need to implement attestation infrastructure themselves. The runtime is accessed through an SDK, while the hash model and proof format stay public and independently verifiable.
Components
| Component | Responsibility |
|---|---|
| User / SDK Client | Sends input and receives proof artifacts |
livy-tee | Build 64-byte runtime data, produce TDX quote, verify quote bindings |
| Livy Runtime | Runs business logic and returns proof artifacts via SDK |
| Intel TDX hardware | Hardware root for quote generation |
| Intel Trust Authority | Verifies quote and returns signed ita_token |
End-to-End Sequence
Rendering mermaid diagram...What the User Receives
Livy can expose two proof levels from the same computation:
- Minimal user proof (
user_attestation.json), intended for lightweight verification and recomputation checks. - Full attestation bundle (
attestation.json+ per-attestation files), intended for deep audit, replay analysis, and graph tracing.
Both are derived from the same runtime data and quote, so they stay cryptographically consistent.
Verification Model
A verifier can recompute and validate with only public artifacts, without trusting Livy storage:
- Recompute payload commitment from input and output.
- Rebuild the 64-byte runtime data structure.
- Confirm runtime data binding inside quote report data.
- Validate ITA token signature and claims.
- Check measurement and policy expectations.
If all checks pass, the verifier knows the claimed output is bound to a real TDX attestation and the expected measured binary.
This is the same model demonstrated in livy-example, where proof files can be pulled and verified end to end by a third party.
Client Device Signals
Client-side checks (for example Apple App Attest / DeviceCheck) can be attached as additional input signals, but they are not the cryptographic trust root for computation correctness. The trust root for provenance remains Intel TDX attestation plus ITA appraisal.
How Provenance Is Proven
Provenance is not a claim by Livy. It is a recomputable chain:
- Each attestation commits to deterministic hashes in 64-byte runtime data.
- Each runtime data payload is bound into a hardware quote.
- Verifiers can chain multiple attestations by matching committed values across artifacts.
Because each step is hash-linked and independently verifiable, a third party can confirm lineage from artifacts alone.
Extension Points (Integration-Friendly)
The Livy core keeps stable interfaces where third-party systems can attach:
- At proof consumption time: ingest
user_attestation.jsonfor simple checks. - At audit time: ingest full bundles for independent policy engines.
- At lineage time: consume attestation chains for reputation, identity, or distribution workflows.
No integration-specific logic is required in the attestation generation path to support these later.