Overview
The configuration of the attestation infrastructure includes several steps:
Intel extends the existing Data Center Attestation Primitives (DCAP) to support remote attestation specifically for TDX. DCAP, a collection of software packages, is enhanced to facilitate the remote attestation process, ensuring compatibility and seamless integration with TDX technology.
Registration
Platform keys are generated during platform assembly and shared among CPU packages in multiple-package platforms. The CPU's unique hardware key encrypts these keys. Provisioning Certification Keys (PCKs) are derived from these platform keys and are utilized for certifying attestation keys. To enable the recognition of PCKs by the attestation infrastructure, they must be registered with the Intel Platform Configuration Service (PCS).
To register a platform, the PCK Cert ID Retrieval Tool is used to extract a manifest from the platform. This manifest contains crucial information about the CPU packages, such as CPU ID (128-bit), Security Version Number (SVN), and hardware TCB details. The Intel PCS examines the registration server request and verifies the good standing of the CPUs and TCB before issuing a PCK certificate. The manifest is signed using keys derived from the CPU package's hardware keys, and the Intel PCS ensures the validity of these signatures. Upon successful registration, the Intel PCS provides an Intel-issued certificate for the PCK.
Typically, in the Data Center Attestation Primitives (DCAP), a Provisioning Certification Caching service (PCCS) operates on the host platform to facilitate the retrieval of PCK certificates. This service can run on any suitable location within the platform. It forwards PCK requests from the PCK Cert ID Retrieval Tool to the Intel PCS and caches the received PCK certificates locally. The Intel PCS also supplies certificates and revocation lists for PCKs on all genuine Intel platforms, and the PCCS also maintains local caches of these artifacts.
Before registering, the platform must have appropriate UEFI/BIOS settings and access to the Intel PCS. Both TDX and SGX must be enabled in the UEFI/BIOS on the host platform. An Intel account is also required to obtain API keys to register the platform with the Intel PCS. If the PCCS is utilized, it should be configured with the necessary API keys and the address of the Intel PCS server.
Architectural Enclaves
Intel offers two architectural enclaves to enable quote generation on the platform: the Provisioning Certificate Enclave (PCE) and the Quoting Enclave (QE). The PCE serves as a local certification authority for the QE. During its initialization process, the QE generates a key pair for attestation purposes and shares the public part of the key with the PCE.
Upon receiving the QE's public key, the PCE performs authentication checks to ensure that the QE is a legitimate entity on the platform. Once verified, the PCE signs the attestation public key certificate using the Provisioning Certification Key (PCK). This signature establishes a quote certificate chain, linking the Intel-issued PCK certificate to the QE's attestation public key.
The PCK certificate is utilized to validate the authenticity of the QE's attestation public key certificate. In turn, the QE's attestation public key is used to verify the signature on the quote. This chain of verification ensures the integrity and trustworthiness of the generated quotes.
Attestion Flow
As the figure above, the attestation process involves several steps to ensure the authenticity and integrity of the TD on the TDX platform.
The remote party initiates an attestation request, providing a nonce for freshness and protection against replay attacks.
The attestation agent within the TDX platform retrieves a TD report from the TDX Module, incorporating the provided nonce as REPORTDATA.
The attestation agent then sends the TD report to the Quoting Enclave (QE) to request the attestation key's signature. Before signing the TD report, the QE verifies the platform's legitimacy to ensure the report's origin.
The attestation agent receives the signed quote from the QE and forwards it to the remote party.
The remote party needs the platform's Provisioning Certification Key (PCK) certificate to validate the quote. It may obtain the PCK certificate from a Provisioning Certification Caching Service (PCCS) (Step 5) or directly from the Intel Provisioning Certification Service (PCS) (Step 6).
The remote party performs several checks during the validation process. It verifies the presence of the nonce in the quote and ensures the integrity of the signature chain from the Intel-issued PCK certificate to the signed quote. It also examines the certificate chain for revocation and validates the TCB's currency. Additionally, the remote party verifies whether the measurements in the quote, such as MRTD and RTMR values, match a predefined set of reference values.
Upon successfully validating the quote, the remote party can trust that the TD has been securely instantiated on a genuine TDX platform.
Last updated