mero-tee

TEE infrastructure for Calimero: mero-kms-phala (Key Management Service for Phala Cloud) and GCP node-image build (Packer-based merod node images with TDX attestation).

Full documentation: Architecture Reference

Components

Component	Description
mero-kms-phala	KMS that validates TDX attestations and releases storage encryption keys to merod nodes running in Phala CVMs
mero-tee/	GCP Packer build for locked merod node images (debug, debug-read-only, locked-read-only profiles)
attestation-verifier/	Public web tool for verifying KMS and node attestations via Intel Trust Authority

Quick Start

Build mero-kms-phala

cargo build --release

Requires Rust. Dependencies on calimero-tee-attestation and calimero-server-primitives via git dependency on calimero-network/core.

Build GCP Images

See mero-tee/README.md. Requires Packer, Ansible, and GCP credentials.

Verify Release Assets

# Verify all release trust assets for a tag
scripts/release/verify-release-assets.sh X.Y.Z

# Generate pinned merod KMS config from signed release policy
scripts/policy/generate-merod-kms-phala-attestation-config.sh \
  --profile locked-read-only X.Y.Z https://<kms-url>/

Documentation

All detailed documentation lives in the Architecture Reference:

Topic	Page
High-level architecture & system map	System Overview
KMS, node images, attestation verifier	Components
Mutual attestation & trust boundaries	Trust Model
Challenge/get-key protocol	Key Release Flow
KMS self-attestation & public verifier	Attestation Flow
MRTD/RTMR, compose hash, operator verify	Verification
Release classes, CI/CD, pipeline flows	Release Pipeline
Staging probes, policy promotion, ADRs	Policy Management
Phala KMS, GCP nodes, blue-green rollout	Runbooks
All environment variables	Config Reference
ServiceError variants & HTTP codes	Error Handling
TEE terms & definitions	Glossary

Release Process

Merge version bump PR (Cargo.toml and versions.json aligned)
Node release runs first; KMS release waits, then creates draft
Human reviews and publishes KMS draft release
update-compatibility-catalog workflow updates compatibility-catalog.json

Two artifact families per version:

mero-kms-vX.Y.Z: KMS binaries, attestation policies, compatibility map, Sigstore signatures
mero-tee-vX.Y.Z: published-mrtds.json, release provenance, SBOM, checksums, Sigstore signatures

Related Repositories

calimero-network/core – merod, node runtime

License

MIT OR Apache-2.0

Name		Name	Last commit message	Last commit date
Latest commit History 477 Commits
.cargo		.cargo
.github		.github
architecture		architecture
attestation-verifier		attestation-verifier
mero-kms		mero-kms
mero-tee		mero-tee
scripts		scripts
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE-APACHE		LICENSE-APACHE
LICENSE-MIT		LICENSE-MIT
README.md		README.md
SECURITY.md		SECURITY.md
compatibility-catalog.json		compatibility-catalog.json
rust-toolchain.toml		rust-toolchain.toml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

mero-tee

Components

Quick Start

Build mero-kms-phala

Build GCP Images

Verify Release Assets

Documentation

Release Process

Related Repositories

License

About

Licenses found

Uh oh!

Releases 64

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

mero-tee

Components

Quick Start

Build mero-kms-phala

Build GCP Images

Verify Release Assets

Documentation

Release Process

Related Repositories

License

About

Resources

License

Licenses found

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 64

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages