TDX Utils (Flashbots)

Utilities for Intel TDX attestation collection and serving, plus infra automation to build and deploy a Google Cloud Confidential VM image.

Repos & Structure

• app/ – Rust binary tdx-utils that:
  • Collects attestation via gotpm and prints pretty JSON
  • Runs an HTTP server at /attest, /attest.bin, and /metrics
  • Optionally integrates process data when started with --pid <PID>
• infra/ – Packer template and scripts to build and deploy a GCP CVM (Intel TDX)
  • Packer installs gotpm, op-rbuilder, and the tdx-utils release artifact
  • Scripts to deploy a Spot TDX VM and run startup flavors (test/stage/prod)

Quickstart (Local)

Requirements:

• Rust toolchain
• gotpm installed and available in PATH

Build the binary:

cd app
cargo build --release

Run once and print JSON:

./target/release/tdx-utils

Serve HTTP (pretty JSON page at /attest):

./target/release/tdx-utils serve

Integrate process data (PID):

./target/release/tdx-utils serve --pid 1234

HTTP endpoints:

• GET /attest?nonce=<hex> – HTML page with pretty JSON; nonce is hex up to 32 chars
• GET /attest.bin?nonce=<hex> – raw attestation protobuf bytes
• GET /metrics – OpenMetrics with process data details when --pid is set

For details, see app/README.md.

Infra

Build GCP CVM image with Packer (needs GCP WIF setup and GITHUB_TOKEN): see infra/README.md.

Deploy an instance from the latest image and run startup flavor:

export PROJECT_ID=<your-project>
export IMAGE_NAME=<gce-image-name>
export STARTUP_SCRIPT=infra/scripts/startup/stage.sh
./infra/scripts/deploy-cvm.sh

CI/CD

• App build and release: .github/workflows/app-build.yml
• Packer build (image): .github/workflows/packer-build.yml
• CD Deploy CVM: .github/workflows/cd-deploy.yml

These use Workload Identity Federation to access GCP.