Livy Documentation

livy-example Model

Conceptual view of how livy-tee attestation works, using livy-example artifacts.

livy-example is a demo of the livy-tee verification model.
It is not important as a deployment pattern; it is useful because it exposes the exact artifacts a third party needs to recompute and verify claims independently.

Core Idea

livy-tee binds computation to attestation in two layers:

  1. Input/output commitment: payload_hash = SHA-256(SHA-256(input) || SHA-256(output))
  2. Quote binding: quote_report_data = SHA-512(nonce_val || nonce_iat || runtime_report_data)

The first layer proves what was computed.
The second layer proves that this commitment was carried inside a real TDX quote appraised by ITA.

What runtime_report_data Contains

runtime_report_data is always 64 bytes and includes:

  • payload_hash (32 bytes)
  • build_id (8 bytes)
  • version_code (4 bytes)
  • build_number (4 bytes)
  • nonce (8 bytes)
  • reserved bytes (8 bytes)

This 64-byte structure is the portable commitment that verifiers can recompute.

What the Demo Outputs

From livy-example, the minimal verifier package is user_attestation.json.
It includes enough material to validate bindings without Livy-hosted state:

  • input/output-related commitment data
  • runtime_report_data
  • raw quote
  • ITA token (when available)
  • ITA verifier nonce parts (val, iat)

The demo also emits richer files (full_attestations.json, per-attestation files), but the key point is that minimal verification remains possible from public artifacts.

How Verification Works (Conceptually)

Verification is a recomputation, not a trust decision:

  1. Recompute payload_hash from input/output and compare with runtime_report_data[0..32].
  2. Recompute SHA-512(nonce_val || nonce_iat || runtime_report_data).
  3. Compare that value to quote REPORTDATA bytes.
  4. If ITA token is present, check its signature and confirm token tdx_report_data matches quote REPORTDATA.

When these checks match, the verifier has cryptographic evidence that the claimed output is bound to the attested execution.

Why This Matters

The model keeps verification open:

  • Any party can rerun checks with the same formulas.
  • No private Livy database is required for basic proof validation.
  • The same artifact format can be consumed by other systems later without changing attestation semantics.

Livy Flow

Public verification model for Livy attestations and provenance.