Hardware-attested PayPal OAuth service on GCP Confidential VM (AMD SEV-SNP). Built for 100% bit-by-bit reproducibility and a mathematically unbroken chain of trust from AMD silicon to GitHub provenance.
Live endpoint: https://login.airma.de
| Component | Status |
|---|---|
| Base OS (Debian 13 Trixie, pinned snapshot) | ✅ Stable |
Binary TPM TPMS_ATTEST Parsing |
✅ Fully Verified |
| PCR Composite Digest Verification | ✅ Fully Verified |
| PCR 15 Software Manifest Binding | ✅ Fully Verified |
| Google EK Certificate (NVRAM, 1560 bytes) | ✅ Fully Retrieved |
| Silicon Anchor: EK Cert Issuer Verification | ✅ Fully Verified |
| Embedded TLS Pinning (no filesystem trust) | ✅ Hardened |
| Pinned HTTPS Time Sync + RTC Pre-seed | ✅ Hardened |
| Atomic Reproducible Build | ✅ Achieved |
| GitHub Sigstore Supply Chain Provenance | ✅ Achieved |
All cryptographic audit checks pass end-to-end in verify.html:
- ✅ Enclave Identity Signature — RSA-4096 signature over canonicalized JSON report
- ✅ PayPal Identity Binding — Session nonce =
SHA-256(user_hash ∥ pubkey_hash) - ✅ TPM Hardware Proof — Binary
TPMS_ATTESTparsed; session AK signature, nonce, and PCR composite hash all verified - ✅ Silicon Root of Trust — Google EK Certificate retrieved from NVRAM
0x01c00002; issuer verified asEK/AK CA Intermediateunder Google's CA hierarchy; instance identity decoded from subject fields - ✅ GitHub Build Provenance — Sigstore attestation confirms binary + image atomicity + PCR 15 binding
- ✅ TLS Certificate Binding — Optional: confirms browser connection matches signed report
GitHub Sigstore Provenance
└─► disk_manifest SHA-256
└─► PCR 15 (measured at boot into hardware TPM)
└─► PCR Composite Hash (SHA-256 of PCRs 0,4,8,9,15)
└─► TPMS_ATTEST (Session AK-signed: PCR composite + session nonce)
└─► Session Nonce
└─► PayPal Identity + Enclave Public Key
Google EK Certificate (NVRAM 0x01c00002, Google-signed, permanent)
└─► Proves: this is a real GCP Confidential VM running AMD SEV-SNP silicon
Key insight: The Google EK Certificate and the TPM Quote signing key (session AK) are two separate keys. The EK cert proves hardware identity; the session AK proves measurement integrity for this specific session. This is the correct TPM 2.0 attestation model.
The entire stack is built in a deterministic multi-stage Docker pipeline producing a bit-perfect disk.tar.gz that matches GitHub Actions provenance.
docker build -f Dockerfile.repro -t paypal-auth-vm-repro .bash deploy-gcp.shThis script: rotates EAB keys → builds the image locally → uploads to GCS → registers GCP custom image → tears down old VM → provisions new SEV-SNP Confidential VM.
The browser-based auditor performs a 6-stage cryptographic validation entirely in-browser using WebCrypto — no server trust required.
Recommended: local air-gapped verification
# 1. Capture TLS certificate from the live endpoint
echo | openssl s_client -connect login.airma.de:443 -showcerts \
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
# 2. After PayPal login, download the attestation report from the callback page
# 3. Open verify.html locally, upload report + cert, click Audit| File | Purpose |
|---|---|
src/main.rs |
Rust PID 1: DHCP, TPM attestation, ACME TLS, PayPal OAuth, report signing |
src/google_ca.pem |
Embedded Google Root CA (compiled into binary via include_bytes!) |
src/paypal.pem |
Embedded PayPal Root CA (compiled into binary via include_bytes!) |
verify.html |
Browser auditor: binary TPM parser, DER cert decoder, WebCrypto, GitHub API |
deploy-gcp.sh |
End-to-end deployment (EAB rotation → build → GCS → GCP VM) |
Dockerfile.repro |
Multi-stage reproducible build (Debian Trixie pinned snapshots) |
build-initramfs-tools.sh |
Initramfs construction with kernel module selection |
build-gcp-gpt-image.sh |
GPT disk image assembly (ESP + GRUB + measured boot) |
.github/workflows/ |
Sigstore provenance attestation for all build artifacts |
AGENTS.md |
Security architecture, chain of trust, known constraints, and implementation notes |
- PID 1 Isolation: The Rust binary is the only process. No shell, no cron, no systemd. All whitelisted binaries (TPM tools,
nft,ip) are statically resolved at build time. - Embedded TLS Roots:
google_ca.pemandpaypal.pemcompiled directly into the binary withinclude_bytes!. No filesystem CA store is trusted. - Kernel Egress Firewall:
nftablesruleset loaded at boot; only DNS (53), metadata (169.254.169.254), and HTTPS (443) egress permitted. - TPM-Sealed DEK: A random Data Encryption Key is sealed to PCR policy (0,4,8,9,15) using the owner-hierarchy primary. Any modification to measured boot components breaks the seal.
- One-Shot Attestation: Each attestation report is signed with a freshly-generated RSA-4096 key (loaded from GCP Secret Manager). The nonce cryptographically binds the report to one specific PayPal session.
- Two-Key Silicon Anchor: The hardware identity (Google EK Certificate, permanent, NVRAM) is decoupled from the session signing key (session AK, ephemeral, created per-attestation). Neither key alone is sufficient; both are required to pass the audit.
✅ Enclave Identity Signature — Report signature verified.
✅ PayPal Identity Binding — Identity cryptographically hashed.
✅ TPM Hardware Proof — TPM Quote, Nonce, and PCR Digest verified.
✅ Silicon Root of Trust — Google Confidential Hardware Verified
EK Cert Issuer: EK/AK CA Intermediate (Google LLC)
Hardware Identity: europe-west4-a · paypal-auth-vm-v60
✅ GitHub Build Provenance — Binary + Image Atomicity + PCR 15 hardware binding
✅ TLS Certificate Binding — TLS channel bound.