From 645965bd8d1116c079945b547ba1f406153b109a Mon Sep 17 00:00:00 2001
From: MoeMahhouk <mohammed-mahhouk@hotmail.com>
Date: Thu, 19 Feb 2026 10:00:42 +0000
Subject: [PATCH 1/2] chore: replace cvm-reverse-proxy with attested-tls-proxy

---
 bob-common/mkosi.build                          | 13 +++++++------
 .../systemd/system/attested-tls-proxy.service   | 17 +++++++++++++++++
 .../systemd/system/cvm-reverse-proxy.service    | 16 ----------------
 bob-common/mkosi.postinst                       |  2 +-
 bob-l1/mkosi.extra/etc/bob/firewall-config      |  6 +++---
 bob-l2/mkosi.extra/etc/bob/firewall-config      |  6 +++---
 6 files changed, 31 insertions(+), 29 deletions(-)
 create mode 100644 bob-common/mkosi.extra/etc/systemd/system/attested-tls-proxy.service
 delete mode 100644 bob-common/mkosi.extra/etc/systemd/system/cvm-reverse-proxy.service

diff --git a/bob-common/mkosi.build b/bob-common/mkosi.build
index a277a877..cf00ee1e 100755
--- a/bob-common/mkosi.build
+++ b/bob-common/mkosi.build
@@ -40,12 +40,13 @@ make_git_package \
     'go build -trimpath -ldflags "-s -w -buildid= -X github.com/flashbots/go-template/common.Version=v1.0.0" -o ./build/ssh-pubkey-server cmd/httpserver/main.go' \
     "build/ssh-pubkey-server:/usr/bin/ssh-pubkey-server"
 
-make_git_package \
-    "cvm-reverse-proxy" \
-    "v0.1.8" \
-    "https://github.com/flashbots/cvm-reverse-proxy" \
-    "make build-proxy-server" \
-    "build/proxy-server:/usr/bin/cvm-reverse-proxy"
+# Install attested-tls-proxy from pre-built .deb
+ATLS_VERSION="v1.1.1"
+ATLS_SHA256="539a5f7de6e0b3a80d5279e76fbf46b2531c3c74fa2e22bf55a3dd5c0118690d"
+curl -sSfL "https://github.com/flashbots/attested-tls-proxy/releases/download/${ATLS_VERSION}/attested-tls-proxy_1.${ATLS_VERSION}_amd64.deb" \
+    -o /tmp/attested-tls-proxy.deb
+echo "${ATLS_SHA256}  /tmp/attested-tls-proxy.deb" | sha256sum --check
+dpkg-deb -x /tmp/attested-tls-proxy.deb "$DESTDIR"
 
 # Build input-only-proxy
 build_rust_package \
diff --git a/bob-common/mkosi.extra/etc/systemd/system/attested-tls-proxy.service b/bob-common/mkosi.extra/etc/systemd/system/attested-tls-proxy.service
new file mode 100644
index 00000000..76493b57
--- /dev/null
+++ b/bob-common/mkosi.extra/etc/systemd/system/attested-tls-proxy.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Attested TLS Proxy for SSH Public Key Server
+After=ssh-pubkey-server.service
+Requires=ssh-pubkey-server.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/attested-tls-proxy server \
+            --listen-addr 0.0.0.0:8745 \
+            --server-attestation-type auto \
+            --allowed-remote-attestation-type none \
+            127.0.0.1:5001
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=minimal.target
diff --git a/bob-common/mkosi.extra/etc/systemd/system/cvm-reverse-proxy.service b/bob-common/mkosi.extra/etc/systemd/system/cvm-reverse-proxy.service
deleted file mode 100644
index d7dcc7fe..00000000
--- a/bob-common/mkosi.extra/etc/systemd/system/cvm-reverse-proxy.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=SSH Public Key Server
-After=ssh-pubkey-server.service
-Requires=ssh-pubkey-server.service
-
-[Service]
-Type=simple
-ExecStart=cvm-reverse-proxy --listen-addr=0.0.0.0:8745 \
-            --target-addr=http://localhost:5001 \
-            --server-attestation-type=auto \
-            --override-azurev6-tcbinfo
-Restart=always
-RestartSec=5
-
-[Install]
-WantedBy=minimal.target
diff --git a/bob-common/mkosi.postinst b/bob-common/mkosi.postinst
index 227beea5..250fbeb8 100755
--- a/bob-common/mkosi.postinst
+++ b/bob-common/mkosi.postinst
@@ -29,7 +29,7 @@ for service in \
     dropbear.service \
     searcher-container.service \
     ssh-pubkey-server.service \
-    cvm-reverse-proxy.service
+    attested-tls-proxy.service
 do
     mkosi-chroot systemctl enable "$service"
     ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
diff --git a/bob-l1/mkosi.extra/etc/bob/firewall-config b/bob-l1/mkosi.extra/etc/bob/firewall-config
index 6355d153..cec5efbb 100644
--- a/bob-l1/mkosi.extra/etc/bob/firewall-config
+++ b/bob-l1/mkosi.extra/etc/bob/firewall-config
@@ -5,7 +5,7 @@
 SSH_CONTROL_PORT=22
 SSH_DATA_PORT=10022
 SSH_REGISTER_PORT=8080
-CVM_REVERSE_PROXY_PORT=8745
+ATTESTED_TLS_PROXY_PORT=8745
 SEARCHER_INPUT_UDP_PORT=27017
 SEARCHER_INPUT_TCP_PORT=27018
 
@@ -38,10 +38,10 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $SSH_CONTROL_PORT "SSH control port"
 accept_dst_port $CHAIN_ALWAYS_IN udp $SEARCHER_INPUT_UDP_PORT "Searcher UDP input channel"
 accept_dst_port $CHAIN_ALWAYS_IN tcp $SEARCHER_INPUT_TCP_PORT "Searcher TCP input channel (input-only-proxy)"
 
-# CVM reverse-proxy serves server attestation
+# Attested TLS proxy serves server attestation
 # Also forwards request to ssh pubkey server on localhost:5001,
 #    which serves searcher-container openssh server pubkey
-accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
+accept_dst_port $CHAIN_ALWAYS_IN tcp $ATTESTED_TLS_PROXY_PORT "Attested TLS proxy"
 
 # Note: this is CL running on the host
 accept_dst_port $CHAIN_ALWAYS_IN tcp $CL_P2P_PORT "CL P2P (TCP)"
diff --git a/bob-l2/mkosi.extra/etc/bob/firewall-config b/bob-l2/mkosi.extra/etc/bob/firewall-config
index 85e7925f..5b6ce7a0 100644
--- a/bob-l2/mkosi.extra/etc/bob/firewall-config
+++ b/bob-l2/mkosi.extra/etc/bob/firewall-config
@@ -5,7 +5,7 @@
 SSH_CONTROL_PORT=22
 SSH_DATA_PORT=10022
 SSH_REGISTER_PORT=8080
-CVM_REVERSE_PROXY_PORT=8745
+ATTESTED_TLS_PROXY_PORT=8745
 SEARCHER_INPUT_UDP_PORT=27017
 SEARCHER_INPUT_TCP_PORT=27018
 
@@ -34,10 +34,10 @@ accept_dst_port $CHAIN_ALWAYS_IN tcp $SEARCHER_INPUT_TCP_PORT "Searcher TCP inpu
 # We assume here that static peers in config are only syn nodes
 accept_src_ip_dst_port $CHAIN_ALWAYS_IN tcp "$CONFIG_EL_PEERS_IPS" $ENGINE_API_PORT "Engine API"
 
-# CVM reverse-proxy serves server attestation
+# Attested TLS proxy serves server attestation
 # Also forwards request to ssh pubkey server on localhost:5001,
 #    which serves searcher-container openssh server pubkey
-accept_dst_port $CHAIN_ALWAYS_IN tcp $CVM_REVERSE_PROXY_PORT "CVM reverse-proxy"
+accept_dst_port $CHAIN_ALWAYS_IN tcp $ATTESTED_TLS_PROXY_PORT "Attested TLS proxy"
 
 ###########################################################################
 # (2) ALWAYS_OUT: Outbound rules that are always applied

From ab5f6e265e0daa8ca9ce4681e04a3c13162c96ec Mon Sep 17 00:00:00 2001
From: MoeMahhouk <mohammed-mahhouk@hotmail.com>
Date: Thu, 19 Feb 2026 11:49:41 +0000
Subject: [PATCH 2/2] add missing dependencies

---
 bob-common/mkosi.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bob-common/mkosi.conf b/bob-common/mkosi.conf
index ebd8b785..9740d167 100644
--- a/bob-common/mkosi.conf
+++ b/bob-common/mkosi.conf
@@ -29,6 +29,9 @@ Packages=podman
          openssh-sftp-server
          udev
          libsnappy1v5
+         libtss2-esys-3.0.2-0t64
+         libtss2-mu-4.0.1-0t64
+         libtss2-tctildr0t64
 
 BuildPackages=build-essential
               git