README
¶
TDX Guest
It's a golang library to generate and verify Intel TDX Quote V5.
Similar Go libraries are go-tdx-qpl and go-tdx-guest, which only support quote V4. But their code and documentation also provided me with some reference and assistance.
GetQuote(data [64]byte) ([]byte, error)
The func uses "/dev/tdx_guest" device to get a TDX Quote V5. It's based on SGXDataCenterAttestationPrimitives DCAP_1.22.
VerifyQuote(quoteRaw []byte, options VerifyOptions) (*SgxQuote, error)
It verifies the TDX Quote V4 or V5. It's based on QVL v1.1.8886
VerifyOptions
GetCollateral: download the collateral from intel pcs and check.CheckCrl: download the crl (certificate revocation list) and check if quote pck cert is revoked.
GetCollateral and CheckCrl are false by default DefaultVerifyOptions().
Documentation
¶
Index ¶
- func GetQuote(data [reportDataSize]byte) ([]byte, error)
- type Ecdsa256BitQuoteV4AuthData
- type EnclaveIdentity
- type EnclaveReport
- type HexBytes
- type HexUint32
- type PckConfiguration
- type PckExtension
- type PckTcb
- type PcsClient
- type QeAuthData
- type QeReportCertificationData
- type QgsMsgGetQuoteReq
- type QgsMsgGetQuoteResp
- type QgsMsgHeader
- type ReportBodyType
- type Request
- type SgxQuote
- type SgxQuoteHeader
- type SgxReport2Body
- type SgxReport2BodyV15
- type Tcb
- type TcbComponent
- type TcbInfo
- type TcbLevel
- type TcbStatus
- type TdxModule
- type TdxModuleIdentity
- type TdxQuoteHdr
- type TdxQuoteReq
- type TdxReportReq
- type TeeAttributes
- type TeeMeasurement
- type TeeReportData
- type TeeTcbSvn
- type TeeType
- type VerifyOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Ecdsa256BitQuoteV4AuthData ¶
type Ecdsa256BitQuoteV4AuthData struct {
Signature [64]byte
AttestationKey [64]byte
Type uint16
ParsedDataSize uint32
Data QeReportCertificationData
}
Ecdsa256BitQuoteV4AuthData https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/v1.1.7988/Src/AttestationLibrary/src/QuoteVerification/QuoteStructures.h#L166-L173
type EnclaveIdentity ¶
type EnclaveIdentity struct {
ID string `json:"id"`
Version int `json:"version"`
IssueDate time.Time `json:"issueDate"`
NextUpdate time.Time `json:"nextUpdate"`
TcbEvaluationDataNumber int `json:"tcbEvaluationDataNumber"`
MiscSelect HexUint32 `json:"miscselect"`
MiscSelectMask HexUint32 `json:"miscSelectMask"`
Attributes HexBytes `json:"attributes"`
AttributesMask HexBytes `json:"attributesMask"`
MrSigner HexBytes `json:"mrsigner"`
IsvProdID uint16 `json:"isvprodid"`
TcbLevels []TcbLevel `json:"tcbLevels"`
}
EnclaveIdentity https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-enclave-identity-model-v2
type EnclaveReport ¶
type HexBytes ¶
type HexBytes []byte
func (*HexBytes) UnmarshalJSON ¶
UnmarshalJSON for hex bytes converts hex encoded string to bytes
type PckConfiguration ¶
type PckExtension ¶
type PcsClient ¶
type PcsClient struct {
// contains filtered or unexported fields
}
PcsClient is client for Intel® SGX and Intel® TDX Provisioning Certification Service https://api.portal.trustedservices.intel.com/content/documentation.html#pcs
func (*PcsClient) GetPckCrl ¶
func (client *PcsClient) GetPckCrl(commonName string) (*x509.RevocationList, error)
GetPckCrl is Get Revocation List V4. Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA or Platform CA. https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-revocation-v4
func (*PcsClient) GetQeIdentity ¶
func (client *PcsClient) GetQeIdentity() (*EnclaveIdentity, error)
GetQeIdentity is Enclave Identity V4. https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-enclave-identity-v4
func (*PcsClient) GetRootCrl ¶
func (client *PcsClient) GetRootCrl() (*x509.RevocationList, error)
func (*PcsClient) GetTcbInfo ¶
GetTcbInfo is Get TDX TCB Info V4. Retrieve TDX TCB information for given FMSPC. https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-tcb-info-tdx-v4
type QeAuthData ¶
type QeReportCertificationData ¶
type QeReportCertificationData struct {
QeReport EnclaveReport
QeReportSignature [64]byte
QeAuthData QeAuthData
Type uint16
ParsedDataSize uint32
Data []byte
// contains filtered or unexported fields
}
type QgsMsgGetQuoteReq ¶
type QgsMsgGetQuoteReq struct {
Header QgsMsgHeader // header.type = GET_QUOTE_REQ (0)
ReportSize uint32 // cannot be 0
IdListSize uint32 // length of id_list, in byte, can be 0
ReportIdList [reportSize]byte // report followed by id list
}
QgsMsgGetQuoteReq is qgs_msg_get_quote_req_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h#L81-L86
type QgsMsgGetQuoteResp ¶
type QgsMsgGetQuoteResp struct {
Header QgsMsgHeader // header.type = GET_QUOTE_RESP
SelectedIdSize uint32 // can be 0 in case only one id is sent in request
QuoteSize uint32 // length of quote_data, in byte
}
QgsMsgGetQuoteResp is qgs_msg_get_quote_resp_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h#L88-L93
type QgsMsgHeader ¶
type QgsMsgHeader struct {
MajorVersion uint16
MinorVersion uint16
Type uint32
Size uint32 // size of the whole message, include this header, in byte
ErrorCode uint32 // used in response only
}
QgsMsgHeader is qgs_msg_header_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/qgs_msg_lib/inc/qgs_msg_lib.h#L73-L79
type ReportBodyType ¶
type ReportBodyType uint16
const ( ReportBodyTypeSgxEnclave ReportBodyType = 1 ReportBodyTypeTdx10 ReportBodyType = 2 ReportBodyTypeTdx15 ReportBodyType = 3 )
type SgxQuote ¶
type SgxQuote struct {
Header SgxQuoteHeader
Type ReportBodyType
Size uint32
ReportBody SgxReport2BodyV15
SignatureDataLen uint32
SignatureData Ecdsa256BitQuoteV4AuthData
// contains filtered or unexported fields
}
SgxQuote is mixed struct of sgx_quote4_t and sgx_quote5_t.
type SgxQuoteV4 struct {
Header SgxQuoteHeader // < 0: The quote header.
ReportBody SgxReport2Body // < 48: The REPORT of the TD that is attesting remotely.
SignatureDataLen uint32 // < 632: The length of the signature_data. Varies depending on the type of sign_type.
SignatureData Ecdsa256BitQuoteV4AuthData // < 636: Contains the variable length containing the quote signature and support data for the signature.
}
type SgxQuoteV5 struct {
Header SgxQuoteHeader // < 0: The quote header.
Type ReportBodyType // < 48: Determines type of Quote body (TEE report), Architecturally supported values:
// 1 (SGX Enclave Report)
// 2 (TD Report for TDX 1.0)
// 3 (TD Report for TDX 1.5)
Size uint32 // < 50: Size of Quote Body field.
ReportBody Union: // < 54: Quote Body. Its content depends on the value of Quote Body Type:
SgxReportBody // Type 1
SgxReport2Body // Type 2
SgxReport2BodyV15 // Type 3
SignatureDataLen uint32 // < _: The length of the signature data.
SignatureData Ecdsa256BitQuoteV4AuthData // < _: The quote signature data.
}
func VerifyQuote ¶
func VerifyQuote(quoteRaw []byte, options VerifyOptions) (*SgxQuote, error)
VerifyQuote verifies the TDX quote using the pck certificate, tcb info, and qe identity. Supported quote formats - QuoteV4, QuoteV5. https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/tree/v1.1.8886 (qvl)
type SgxQuoteHeader ¶
type SgxQuoteHeader struct {
Version uint16 // < 0: The version this quote structure.
AttKeyType uint16 // < 2: sgx_attestation_algorithm_id_t. Describes the type of signature in the signature_data[] field.
TeeType TeeType // < 4: Type of Trusted Execution Environment for which the Quote has been generated. Supported values: 0 (SGX), 0x81(TDX)
Reserved uint32 // < 8: Reserved field.
VendorId [16]byte // < 12: Unique identifier of QE Vendor.
UserData [20]byte // < 28: Custom attestation key owner data.
}
SgxQuoteHeader is the quote header. It is designed to compatible with earlier versions of the quote. sgx_quote4_header_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_4.h#L112-L120 sgx_quote5_header_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_5.h#L82
type SgxReport2Body ¶
type SgxReport2Body struct {
TeeTcbSvn TeeTcbSvn // < 0: TEE_TCB_SVN Array
MrSeam TeeMeasurement // < 16: Measurement of the SEAM module
MrSignerSeam TeeMeasurement // < 64: Measurement of a 3rd party SEAM module’s signer (SHA384 hash). The value is 0’ed for Intel SEAM module
SeamAttributes TeeAttributes // < 112: MBZ: TDX 1.0
TdAttributes TeeAttributes // < 120: TD's attributes
XFam TeeAttributes // < 128: TD's XFAM
MrTd TeeMeasurement // < 136: Measurement of the initial contents of the TD
MrConfigId TeeMeasurement // < 184: Software defined ID for non-owner-defined configuration on the guest TD. e.g., runtime or OS configuration
MrOwner TeeMeasurement // < 232: Software defined ID for the guest TD's owner
MrOwnerConfig TeeMeasurement // < 280: Software defined ID for owner-defined configuration of the guest TD, e.g., specific to the workload rather than the runtime or OS
RtMr [4]TeeMeasurement // < 328: Array of 4(TDX1: NUM_RTMRS is 4) runtime extendable measurement registers
ReportData TeeReportData // < 520: Additional report data
}
SgxReport2Body is SGX Report2 body. sgx_report2_body_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_4.h#L123-L137 TDReport10, https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/v1.1.7988/Src/AttestationLibrary/src/QuoteVerification/QuoteStructures.h#L82-L103
type SgxReport2BodyV15 ¶
type SgxReport2BodyV15 struct {
SgxReport2Body
TeeTcbSvn2 TeeTcbSvn // < 584: Array of TEE TCB SVNs (for TD preserving).
MrServiceTd TeeMeasurement // < 600: If is one or more bound or pre-bound service TDs, SERVTD_HASH is the SHA384 hash of the TDINFO_STRUCTs of those service TDs bound. Else, SERVTD_HASH is 0..
}
SgxReport2BodyV15 is SGX Report2 body for quote v5. sgx_report2_body_v1_5_t, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_5.h#L85-L102 TDReport15, https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/v1.1.7988/Src/AttestationLibrary/src/QuoteVerification/QuoteStructures.h#L105-L112
type Tcb ¶
type Tcb struct {
IsvSvn uint16 `json:"isvsvn"` // TDX SEAM module's ISV SVN, Wrong "isvnsvn" in document
SgxTcbComponents [16]TcbComponent `json:"sgxtcbcomponents"`
PceSvn int `json:"pcesvn"`
TdxTcbComponents [16]TcbComponent `json:"tdxtcbcomponents"`
}
type TcbComponent ¶
type TcbInfo ¶
type TcbInfo struct {
ID string `json:"id"`
Version int `json:"version"`
IssueDate time.Time `json:"issueDate"`
NextUpdate time.Time `json:"nextUpdate"`
Fmspc HexBytes `json:"fmspc"`
PceID HexBytes `json:"pceId"`
TcbType int `json:"tcbType"`
TcbEvaluationDataNumber int `json:"tcbEvaluationDataNumber"`
TdxModule TdxModule `json:"tdxModule"`
TdxModuleIdentities []TdxModuleIdentity `json:"tdxModuleIdentities"`
TcbLevels []TcbLevel `json:"tcbLevels"`
}
TcbInfo https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-tcb-info-model-v3
type TcbStatus ¶
type TcbStatus string
const ( TcbStatusUpToDate TcbStatus = "UpToDate" TcbStatusConfigurationNeeded TcbStatus = "ConfigurationNeeded" TcbStatusOutOfDate TcbStatus = "OutOfDate" TcbStatusOutOfDateConfigurationNeeded TcbStatus = "OutOfDateConfigurationNeeded" TcbStatusConfigurationAndSWHardeningNeeded TcbStatus = "ConfigurationAndSWHardeningNeeded" TcbStatusSWHardeningNeeded TcbStatus = "SWHardeningNeeded" TcbStatusRevoked TcbStatus = "Revoked" )
type TdxModuleIdentity ¶
type TdxQuoteHdr ¶
type TdxQuoteHdr struct {
Version uint64 // Quote version, filled by TD
Status uint64 // Status code of Quote request, filled by VMM
InLen uint32 // Length of TDREPORT, filled by TD
OutLen uint32 // Length of Quote, filled by VMM
Data [reqBufSize]byte // Actual Quote data or TDREPORT on input
}
TdxQuoteHdr is tdx_quote_hdr, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c#L108-L119
type TdxQuoteReq ¶
TdxQuoteReq is tdx_quote_req, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c#L121-L124
type TdxReportReq ¶
TdxReportReq is tdx_report_req, https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.22/QuoteGeneration/quote_wrapper/tdx_attest/tdx_attest.c#L98-L101
type TeeAttributes ¶
type TeeAttributes = [8]byte
https://github.com/intel/linux-sgx/blob/main/common/inc/sgx_report2.h#L55-L66
type TeeMeasurement ¶
type TeeMeasurement = [48]byte
https://github.com/intel/linux-sgx/blob/main/common/inc/sgx_report2.h#L55-L66
type TeeReportData ¶
type TeeReportData = [64]byte
https://github.com/intel/linux-sgx/blob/main/common/inc/sgx_report2.h#L55-L66
type VerifyOptions ¶
type VerifyOptions struct {
GetCollateral bool // download the collateral from intel pcs and check.
CheckCrl bool // download the crl (certificate revocation list) and check if quote pck cert is revoked.
PcsClient PcsClient
}
func DefaultVerifyOptions ¶
func DefaultVerifyOptions() VerifyOptions
Source Files