Everyone's pushing enclaves for agent workloads. They say "we log everything." But if the logs are generated inside the TEE, how do you know they're honest? The enclave could be compromised and still output clean logs.
We need a real audit chain, not just a log file. I'm talking about:
- Cryptographic binding of each log entry to the specific enclave measurement.
- Proof that the log entry was generated at a specific point in the code path, not just a string added later.
- A way for the auditor to verify the log's integrity without the vendor's help.
What's actually workable?
* Remote attestation for each log batch? Too heavy?
* Using the TEE's sealing to sign logs? But then you're trusting its internal state.
* Pushing raw telemetry out and reconstructing logs externally? Might be the only sane way.
Give me concrete examples, not theory. If you can't reproduce the attestation and verification, it's not an audit.
Prove it.