Kettle: Attested builds for verifiable software provenance

TL;DR

Kettle is a build system that provides cryptographically verifiable software provenance using Trusted Execution Environments, enhancing trust and confidentiality in software supply chains.

Contribution

It introduces a method to produce verifiable provenance inside TEEs, chaining trust to the hardware manufacturer and enabling end-to-end confidential builds.

Findings

Builds produce a cryptographically verifiable provenance document.

Verification reduces to signature and digest checks, no re-execution needed.

Builds are end-to-end confidential, with source code never exposed in plaintext.

Abstract

Kettle is an attested build system that produces cryptographically verifiable provenance for software built inside Trusted Execution Environments (TEEs). A Kettle build records the source commit, dependency set, toolchain, build environment, and output artifact digests in a provenance document produced inside a measured confidential VM. The SHA-256 digest of that document is committed to the TEE platform's attestation report-data field, so the hardware-signed attestation report is itself the signature on the provenance, with the signing identity chaining to the TEE manufacturer's root of trust rather than to the build infrastructure operator. Because the CVM image is itself reproducible, its launch measurement is public and stable, which lets a build requester pre-attest the CVM before submitting any input and optionally deliver source over a TLS channel terminated inside it, so the build runs end-to-end confidentially without the host ever seeing source code in plaintext. Verification reduces to one signature check against the vendor root and a small set of digest comparisons, with no need to re-execute the build. The result removes the build infrastructure, its operators, and the artifact distribution channel from the trust surface a verifier must accept when deciding whether a binary corresponds to its claimed inputs.