Attestable MCP Server
An MCP server that runs inside a trusted execution environment (TEE) using Intel SGX and Gramine, providing remote attestation through RA-TLS, which allows MCP clients to cryptographically verify the integrity of the server code before connecting.
An MCP server that runs inside a trusted execution environment (TEE) using Intel SGX and Gramine, providing remote attestation through RA-TLS, which allows MCP clients to cryptographically verify the integrity of the server code before connecting.
Installation
From Source Code with Docker and Gramine
uv sync
docker build -t attestable-mcp-server .
gramine-sgx-gen-private-key
git clone https://github.com/gramineproject/gsc docker/gsc
cd docker/gsc
uv run ./gsc build-gramine --rm --no-cache -c ../gramine_base.config.yaml gramine_base
uv run ./gsc build -c ../attestable-mcp-server.config.yaml --rm attestable-mcp-server ../attestable-mcp-server.manifest
uv run ./gsc sign-image -c ../attestable-mcp-server.config.yaml attestable-mcp-server "$HOME"/.config/gramine/enclave-key.pem
uv run ./gsc info-image gsc-attestable-mcp-server
Running on Secure Hardware
docker run -itp --device=/dev/sgx_provision:/dev/sgx/provision --device=/dev/sgx_enclave:/dev/sgx/enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p 8000:8000 --rm gsc-attestable-mcp-server
Running on Local Machine for Development
docker run -p 8000:8000 --rm gsc-attestable-mcp-server
Features
- MCP clients can remotely attest code running on any MCP server
- MCP servers can optionally remotely attest MCP clients
- Uses RA-TLS protocol for client-server remote attestation
- Embeds SGX quote in X.509 certificate extension field
- Generates signed attestation of code running inside TEE
- Docker images signed by GitHub Actions
- Independent verification possible with or without secure hardware
Notes
Requires Intel SGX hardware, Gramine, Python 3.13, Ubuntu 22.04, and Intel SGX SDK & PSW. The server runs on GitHub Actions with self-hosted runners inside TEE. Planned features: JSON Web Key (JWK) attestation claim validation and MCP client demonstration.
