Skip to content

Add TDX Attestation #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yogeshbdeshpande wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add TDX Attestation #41

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a10a800
Add TDX Attestation
yogeshbdeshpande May 23, 2023
121e8bb
Incorporate Review Comments
yogeshbdeshpande Jun 6, 2023
2db48cb
Add TCB Recovery Documentation
yogeshbdeshpande Jun 6, 2023
7e58ec3
Add CRL information
yogeshbdeshpande Jun 6, 2023
1cd4272
Enhance steps of TDX Verification
yogeshbdeshpande Sep 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
231 changes: 231 additions & 0 deletions musings/intel-tdx-attestation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,231 @@
# Intel-TDX Attestation Details

The purpose of this document is to explain Intel TDX attestation extensions and to understand how
Intel-TDX attestation scheme can be supported in Veraison.

## Introduction

Intel Trust Domain Extensions (Intel TDX) introduces new architectural elements to deploy hardware-isloted,
virtual machines (VMs) called trust domains (TDs). It is designed to isolate VMs from the virtual machine manager
(VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software.

## TDX Concepts

### GLOSSARY

* __Trust Domains (TDs)__ - Trust Domains are designed to be hardware isolated Virtual Machines (VMs) deployed using Intel Trust Domain Extensions (Intel TDX).

* __VMM__ - Virtual Machine manager or Hypervisor

* __Intel TDX-Module__ - A Intel specific module in its Trusted Computing Base, responsible for
operation and management of Trust Domains. It is designed to provide an interface to VMM to create, delete
and schedule execution of TDs.

* __TD Quoting Enclave__ - An Enclave whose role is to generate remote attestation quote for a TD. It may or may not be provided by Intel, however it is in TCB of the Platform as it is locally verified by Intel Platform Root of Trust.

* __Provisioning Ceritifation Enclave (PCE)__ - An Intel provided Enclave which is designed to act as a local,
Certification Authority for local TD Quoting Enclaves (i.e running on the same platform as each other).

* __Attestation Key(AK)__ - Attestation Key (AK) is the key used to sign the attestation quote generated by TD
Quoting Enclave. The AK is generated by TD Quoting Enclave. The Public part of AK and the TD Quoting details are provided by TD Quoting Enclave to PCE. This structure is then signed by a device and TCB specific signing key known
as Provisioning Certification Key (PCK), please see below for more details on PCK.

* __Provisioning Ceritifation Key(PCK)__ - A signing key available to Provisioning Certification Enclave(PCE). The key is unique to the processor package or platform instance and its TCB (HW and PCE). The public part of the key is distributed as a PCK Certificate.

* __Quote__ - A signed data structure used to provide an off-platform entity that an application enclave is
running with Intel SGX/TDX protections on a trusted Intel SGX/TDX enabled platform.

* __Security Version Number(SVN)__ - Version number of a component that indicates when security-related updates have been applied to the component. The SVN might not correlate with the functional version of the component.

* __TDX TCB__ - A set of components that forms the TDX Trusted Computing Base. This includes CPU HW level, Intel TDX Module Software and Attestation Enclaves, which includes TD Quoting Enclave and PCE.

### Measurement Components of TDX TCB

Remote Attestation helps a remote provider(also known as relying party) have increased trustworthiness that the
software is running inside a TD, on a genuine, Intel-TDX system, and at a given security level (also known as
TCB version). For achieving this the following elements are measured

1. TD Measurements provided by Intel-TDX Module. At TD creation, the Intel TDX-Module is designed to
initialize the measurement registers for the TD. As part of TD creation, the VMM would request the module
to add a set of pages to the TD. The module would then extend a static measurement register (TDMR), with the
measurements of initial pages added to TD alongwith its metadata. It also seeks to provide the TD a set of
run time extendable measurement registers (RTMR) that would be extended by the code in the TD with
measurements of additional code and data at runtime.

2. SVNs of elements in TDX TCB provided by CPU HW.
Each element of Intel-TDX TCB would be assigned an SVN. A TCB is considered up-to-date if all
components of the TCB have SVNs >= threshold published by the author of the component(s).
For the hardware, these SVNs are known collectively as CPUSVN. The module is designed to be
in the TCB of the TD,and the module's SVN should also be reflected in the attestation.


3. Measurement of Intel TDX Module.

### Attestation Quote Signing

Attestation Quote from a TD is signed by TD Quoting Enclave using ECDSA Attestation Key (AK).
The Quoting Enclave generates AK. The hash of the public part of AK is included in _reportData_
field of the Attestation Quote. The AK needs to be certified by an Intel SGX key rooted to platform HW.
For this Intel develops and signs an Enclave known as PCE. The key generated by the PCE is known as PCK key
whose private part (private key) is used to certify(sign) the attestation key. PCK public key, is published
by Intel as an X.509 Certificate format which is knwon as PCK Cert.

The AK as well as PCE Certification Data is then embedded in the Attestation Quote, as part of Signature Data.


### TDX Quote Data Structure
#### TDX Quote Top Level Structure

The TDX data structure is known as V4 version of Quote data structure.

| Name | Size (in Bytes) | Type | Description |
| ------------------ | ------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| Quote Header | 48 | Quote Header | Header of Quote data structure. This field is transparent (the user knows its internal structure). Is retained between various Quote versions. |
| | | | |
| Quote Body | 608 | Enclave Report Body | Report of the attested ISV/TD Enclave |
| | | | |
| Signature Data Len | 4 | Integer | Size of the Quote Signature Data structure |
| | | | |
| Signature | Max = 660 | Signature Dependent | Variable-length data containing the signature and supporting data. E.g. ECDSA 256-bit Quote Signature Data Structure |

#### TDX Quote Header

| Name | Size (in Bytes) | Type | Description |
| -------------------- | --------------- | ---------- | -------------------------------------------------------------- |
| version | 2 | Integer | The version this quote structure. |
| attestation key type | 2 | Integer | Describes the type of signature in the signature_data[] field. |
| tee type | 4 | Integer | Type of Trusted Execution Environment ( 0 = SGX, 0x81 = TDX) |
| reserved | 4 | Byte Array | |
| vendor id | 16 | UUID | Unique identifier of the QE Vendor. |
| user data | 20 | Byte Array | Custom attestation key owner data. |

##### TDX Quote Body
| Name | Size (in Bytes) | Type | Description |
| --------------- | --------------- | ----------- | ------------------------------------------------------------------------------------------------------------ |
| TEE_TCB_SVN | 16 | | TEE_TCB_SVN Array |
| MRSEAM | 48 | SHA384_HASH | Measurement of the Intel-TDX(SEAM) module |
| MRSIGNERSEAM | 48 | SHA384_HASH | Measurement of SEAM Module Signer |
| SEAMATTRIBUTES | 8 | BYTE ARRAY | Additional Configuration Attributes for SEAM |
| | | | |
| TD ATTRIBUTES | 8 | BYTE ARRAY | TD's Attributes |
| XFAM | 8 | BIT MASK | A mask of CPU extended features, that the TD is allowed to use |
| MR_TD | 48 | SHA384_HASH | Static measurement of the TD build process and the initial contents of the TD |
| MR_CONFIG_ID | 48 | SHA384_HASH | |
| MR_OWNER | 48 | SHA384_HASH | Software-defined ID for the guest TD’s owner |
| MR_OWNER_CONFIG | 48 | SHA384_HASH | Software-defined ID for non-owner-defined configuration of the guest TD – e.g., run-time or OS configuration |
| RT_MR | 192 | SHA384_HASH | A bank of 4 Registers to measure additional logic and data pertaining to a TD |
| REPORT_DATA | 64 | BYTE ARRAY | TD supplied external data |



##### TDX Quote Signature Structure

| Name | Size (in Bytes) | Type | Description |
| --------------------- | --------------- | ---------------------- | ---------------------------------------------------------------------------------------------- |
| Report Signature | 64 | ECDSA P-256 Signature | ECDSA signature over the Header and the Enclave Report calculated using ECDSA Attestation Key. |
| ECSA Attestation Key | 64 | ECDSA P-256 Public Key | Public part of the ECDSA Attestation Key generated by the Quoting Enclave. |
| QE Certification Data | Variable | Byte Array | Data required to verify the QE Report Signature |

* QE Certification Data

| Name | Size (in Bytes) | Type | Description |
| ------------------ | --------------- | ---- | -------------------------------------------------------------------------------------------------------------------------- |
| Certification Type | 2 | Integer | Determines type of data required to verify the QE Report Signature in the Quote Signature Data structure. Please see below |
| Certification Size | 4 | Integer | Size of Certification Data Field |
| Certification Data | Variable | Byte Array | PCK Leaf Cert/ PCK Cert Chain |

As of now, only PCK Cert Chain is supported by Intel SGX DCAP Library

### TDX Trust Anchors and Reference Values Management

To assist the end-users to build attestation service, Intel has released a set of
[Intel-SGX Data Centre Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives)
for Linux and
[Certificate Retrieval Service](https://api.portal.trustedservices.intel.com/provisioning-certification)
that enables platform owners and users to retrieve certificates for
an Intel SGX enabled platform.

**Warning**: We think, the below set of API will need some modification to adjust to the new TDX Quote
Structure (V4) as detailed above. The documentation that follows in this section outlines the general
principle which will be followed to obtain the Trust Anchors and Reference Values for Intel-TDX enabled
platforms.

- Register Platform:
This API allows to register a multi-package SGX platform. If the registration is successful, then platform
provisioning root keys are stored in the back-end.

- Download the Provisioning Certificate Root CA Certificate:
Intel Root Certificate can be downloaded from the Intel provided web-site.

- Download PCK Certificates for a given Platform Manifest:
The Get PCK Certificates API allows requesting PCK Certificates for all configured TCB Levels
for a given platform using the given Platform Identifier or a Platform Manifest

- Get TDX TCB information:
Retrieve TDX TCB information for a given FMSPC. The identifier FMSPC can be obtained from the
retrieved PCK Certificate

The above information for a given Intel platform can be provisioned inside Veraison Store. The information can be cached and retrieved at the time of Verification to execute the Verification Algorithm given below.


### TDX Quote Verification - Platform

#### Validating Evidence Integrity

* Verify the signature on the Quote using the AK supplied in the Quote Signature Structure

* Extract the PCK Certificate Chain from the supplied Quote

* Using the AK and PCK Cert Chain from the Quote, Verify that the AK and the Cert Chain is rooted fully to
the root certificate supplied from Intel

* Using PCK Certificate obtain the FMSPC Value for the given platform

2. Comparing Reference Values

* From the Endorsement Store obtain TCB Information for the Platform. Specifically tdxtcbcomponents array.

* Compare all the SGX TCB Comp SVNs retrieved from PCK Certificate(1 to 16) with the corresponding values
of SVNs in tdxtcbcomponents array. If the Certificate SVN Values are greater that the ones stored in the Endorsement Store, the proceed below. Otherwise move to the next TCB Level. If none of them are greater then it indicates
Verification Failure.

* Compare all of the SVNs received in TEE TCB SVN Array retrieved from TD Report in Quote (index 0 to index 15)
with the corresponding values of SVNs in tdxtcbcomponents array of TCB Level. If all TEE TCB SVN in the TD Report are
greater than or equal to the corresponding values in TCB Level, read the status assigned to this TCB Level.
Otherwise move to the next item in the TCB Level List

* For the selected TCB Level, verify that the SVN at Index 1 inside tdxtcbcomponents array matches the value
of SVN at Index 1, in TEE TCB SV Array (from TD Report, in Quote). In case of mis-match the selected TCB level
should be rejected.

* If no TCB level matches between the PCK Certificate and TD Report, TCB Level is NOT supported and
Verification is deemed to be failed.

Please note that currently there is no documentation as to how one can obtain
MRSEAM (Measurement of Intel TDX Module), as part of provisioning. Hence no MRSEAM Comparision
is documented. This may change in future.

#### TDX Quote Verification - TD Specific

The TD specific Attestation Verification is specific to given deployment and could
be based on Relying Party Verification Policy.

### REFERENCES

1. [Intel-SGX Data Centre Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives)

2. [Certificate Retrieval Service](https://api.portal.trustedservices.intel.com/provisioning-certification)

3. [TDX Whitepaper](https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf)

4. [Intel® SGX PCK Certificate and Certificate Revocation List Profile Specification](https://api.trustedservices.intel.com/documents/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf)

5. [intel-tdx-cpu-architectural-specification](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiU9M6E0o7_AhXYhVwKHXKlCNEQFnoECBMQAQ&url=https%3A%2F%2Fcdrdv2-public.intel.com%2F733582%2Fintel-tdx-cpu-architectural-specification.pdf&usg=AOvVaw0yAhhUbeVKKFrIgBy483T1)

6. [intel-tdx-module-1.5-base-specification](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjN8t6h0o7_AhVKilwKHS3HBdIQFnoECBQQAQ&url=https%3A%2F%2Fcdrdv2-public.intel.com%2F733575%2Fintel-tdx-module-1.5-base-spec-348549002.pdf&usg=AOvVaw34T_omhp-W3zfY38woDIrd)

7. [intel-tdx-module-abi-specification](https://www.intel.com/content/www/us/en/content-details/733579/intel-tdx-module-v1-5-abi-specification.html)

8. [ECDSA Quote Library API](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf)

9. [Intel SGX DCAP Orientation Guide](https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/DCAP_ECDSA_Orientation.pdf)