EAT profile for Intel® Trust Domain Extensions (TDX) attestation result

EAT profile for Intel® Trust Domain Extensions (TDX) attestation result Microsoft

gkostal@microsoft.com

Microsoft

sindhuri.dittakavi@microsoft.com

Intel

raghuram.yeluri@intel.com

Intel

haidong.xia@intel.com

Intel

jerry.yu@intel.com

Security Remote ATtestation ProcedureS Internet-Draft Intel® Trust Domain Extensions (TDX) introduces architectural elements designed for the deployment of hardware-isolated virtual machines (VMs) known as trust domains (TDs). TDX is designed to provide a secure and isolated environment for running sensitive workloads or applications. This Entity Attestation Token (EAT) profile outlines claims for an Intel TDX attestation result which facilitate the establishment of trust between a relying party and the environment.

Introduction This profile outlines claims for an Intel® Trust Domain Extensions attestation result, generated as an Entity Attestation Token in a signed JSON Web Token format using JOSE header. It doesn't contain nested tokens or a detached EAT bundle. The profile allows signing of the JWT token using RSA cryptographic algorithm. To facilitate verification of the signed JWT tokens, the verifier can expose the trusted token signing certificates using an OpenID metadata endpoint. In accordance with the standards outlined in the JSON Web Signature specification, the receiver of the profile can use the certificate with key ID (kid) matching the kid parameter in the attestation token header for performing signature verification.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

TDX profile claims This profile encompasses claims from the IETF JWT specification, the EAT specification and Intel's TDX specification.

JWT claims The complete definitions of the following claims are available in the specification.

iat: The "iat" (issued at) claim identifies the time at which the JWT was issued.
exp: The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
iss: The "iss" (issuer) claim identifies the principal that issued the JWT.
jti: The "jti" (JWT ID) claim provides a unique identifier for the JWT.
nbf: The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.

EAT claims The complete definitions of the following claims are available in the specification.

eat_profile: The "eat_profile" claim identifies an EAT profile by either a URL or an OID.
dbgstat: The "dbgstat" claim applies to entity-wide or submodule-wide debug facilities of the entity like and diagnostic hardware built into chips.
intuse: The "intuse" claim provides an indication to an EAT consumer about the intended usage of the token.
eat_nonce: An EAT nonce is either a byte or text string or an array of byte or text strings. The array option supports multistage EAT verification and consumption.

TDX claims The complete definitions of the following claims are available in section A.3.2 TD Quote Body of .

tdx_mrsignerseam: A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the TDX module signer.
tdx_mrseam: A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the TDX module.
tdx_mrtd: A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the initial contents of the TDX.
tdx_rtmr0: A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr1: A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr2: A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr3: A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_mrconfigid: A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for non-owner-defined configuration of the TDX, e.g., runtime or Operating System (OS) configuration.
tdx_mrowner: A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for the TDX's owner.
tdx_mrownerconfig: A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for owner-defined configuration of the TDX, e.g., specific to the workload rather than the runtime or OS.
tdx_report_data: A 128-character hexadecimal string that represents a byte array of length 64. In this context, the TDX has the flexibility to include 64 bytes of custom data in a TDX Report. For instance, this space can be used to hold a nonce, a public key, or a hash of a larger block of data.
tdx_seam_attributes: A 16 character hexadecimal string that represents a byte array of length 8 containing additional configuration of the TDX module.
tdx_tee_tcb_svn: A 32 character hexadecimal string that represents a byte array of length 16 describing Trusted Computing Base (TCB) Security Version Numbers (SVNs) of the TDX.
tdx_xfam: A 16 character hexadecimal string that represents a byte array of length 8 containing a mask of CPU extended features that the TDX is allowed to use.
tdx_seamsvn: A number that represents the Intel TDX module SVN. The complete definition of the claim is available in section 3.1 SEAM_SIGSTRUCT: INTEL® TDX MODULE SIGNATURE STRUCTURE of the specification.
tdx_td_attributes: A 16 character hexadecimal string that represents a byte array of length 8. These are the attributes associated with the Trust Domain (TD). The complete definitions of the claims mentioned below are available in section A.3.4. TD Attributes of .
tdx_td_attributes_debug: A boolean value that indicates whether the TD runs in TD debug mode (set to 1) or not (set to 0). In TD debug mode, the CPU state and private memory are accessible by the host VMM.
tdx_td_attributes_key_locker: A boolean value that indicates whether the TD is allowed to use Key Locker.
tdx_td_attributes_perfmon: A boolean value that indicates whether the TD is allowed to use Perfmon and PERF_METRICS capabilities.
tdx_td_attributes_protection_keys: A boolean value that indicates whether the TD is allowed to use Supervisor Protection Keys.
tdx_td_attributes_septve_disable: A boolean value that determines whether to disable EPT violation conversion to #VE on TD access of PENDING pages.

Attester claims

attester_advisory_ids: Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of tcbStatus of the platform TCB level being evaluated. See advisoryIDs in .
attester_tcb_status: A string value that represents the TCB level status of the platform being evaluated. See tcbStatus in .

IANA Considerations

JWT claims registered by this document This specification adds the following values to the "JSON Web Token Claims" registry established by the JWT specification IANA is requested to register the following claims. ----------------------------------------------- Claim Name: tdx_mrsignerseam Claim Description: TDX module signer Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_mrseam Claim Description: Measurement of the TDX module Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_mrtd Claim Description: Measurement of the TDX initial contents Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_rtmr0 Claim Description: Runtime extendable measurement register Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_rtmr1 Claim Description: Runtime extendable measurement register Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_rtmr2 Claim Description: Runtime extendable measurement register Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_rtmr3 Claim Description: Runtime extendable measurement register Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_mrconfigid Claim Description: Software-defined ID for non-owner-defined configuration of the TDX Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_mrowner Claim Description: Software-defined ID for the TDX's owner Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_mrownerconfig Claim Description: Software-defined ID for owner-defined configuration of the TDX Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_report_data Claim Description: Custom data in the TDX Report Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_seam_attributes Claim Description: Additional configuration of the TDX module Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_tee_tcb_svn Claim Description: Trusted Computing Base (TCB) Security Version Numbers (SVNs) of the TDX Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_xfam Claim Description: Mask of CPU extended features that the TDX is allowed to use Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_seamsvn Claim Description: The TDX module Security Version Number (SVN) Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes Claim Description: Attributes associated with the Trust Domain (TD) Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes_debug Claim Description: Indicates whether the TD runs in TD debug mode (set to 1) or not (set to 0) Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes_key_locker Claim Description: Indicates whether the TD is allowed to use Key Locker Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes_perfmon Claim Description: Indicates whether the TD is allowed to use Perfmon and PERF_METRICS capabilities Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes_protection_keys Claim Description: Indicates whether the TD is allowed to use Supervisor Protection Keys Specification Document(s): This document ----------------------------------------------- Claim Name: tdx_td_attributes_septve_disable Claim Description: Determines whether to disable EPT violation conversion to #VE on TD access of PENDING pages Specification Document(s): This document ----------------------------------------------- Claim Name: attester_advisory_ids Claim Description: Intel security advisories that provide insight into the reason(s) for the value of tcbStatus of the platform TCB level being evaluated Specification Document(s): This document ----------------------------------------------- Claim Name: attester_tcb_status Claim Description: TCB level status of the platform being evaluated Specification Document(s): This document -----------------------------------------------

Security Considerations This specification re-uses the EAT and JWT specifications. Hence, the security and privacy considerations of those specifications apply here as well. Additionally, the security considerations as described in apply here too.

References Normative References The Entity Attestation Token (EAT) Security Theory LLC Qualcomm Technologies Inc. Qualcomm Technologies Inc. Red Hound Software, Inc. JSON Web Token (JWT) Security Theory LLC Qualcomm Technologies Inc. Qualcomm Technologies Inc. JSON Web Signature (JWS) Security Theory LLC Qualcomm Technologies Inc. Qualcomm Technologies Inc. Intel® Trust Domain Extensions Intel Intel® SGX and Intel® TDX Registration Service for Scalable Platforms Intel Intel® Trust Domain Extensions Data Center Attestation Primitives (Intel® TDX DCAP): Quote Generation Library and Quote Verification Library Intel Intel® Trust Domain Extensions - SEAM Loader (SEAMLDR) Interface Specification Intel Informative References IEEE Standard for Reduced-Pin and Enhanced-Functionality Test Access Port and Boundary-Scan Architecture Microsoft Azure Attestation Microsoft Intel® Trust Authority Intel EAT profile of Microsoft Azure Attestation Microsoft EAT profile of Intel® Trust Authority Intel Intel TDX Security Guidance Intel

Examples

TDX attestation token by Intel® Trust Authority Below is a sample TDX attestation token generated by Intel® Trust Authority which includes claims from this EAT profile. The definitions of the token claims can be found in .

TDX attestation token by Microsoft Azure Attestation Below is a sample TDX attestation token generated by Microsoft Azure Attestation which includes claims from this EAT profile. The definitions of the token claims can be found in .

Acknowledgements Thanks to Dave Thaler for offering guidance in drafting and publishing the profile.