diff --git a/musings/intel-tdx-attestation.md b/musings/intel-tdx-attestation.md new file mode 100644 index 0000000..944f3e3 --- /dev/null +++ b/musings/intel-tdx-attestation.md @@ -0,0 +1,288 @@ +# Intel-TDX Attestation Details + +The purpose of this document is to explain Intel TDX attestation extensions and to understand how +Intel-TDX attestation scheme can be supported in Veraison. + +## Introduction + +Intel Trust Domain Extensions (Intel TDX) introduces new architectural elements to deploy hardware-isolated, +virtual machines (VMs) called trust domains (TDs). It is designed to isolate VMs from the Virtual Machine Manager +(VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. + +## TDX Concepts + +### GLOSSARY + +* __Trust Domains (TDs)__ - Trust Domains are designed to be hardware isolated Virtual Machines (VMs) +deployed using Intel Trust Domain Extensions (Intel TDX). + +* __VMM__ - Virtual Machine manager or Hypervisor + +* __Intel TDX-Module__ - A Intel specific module in its Trusted Computing Base, responsible for +operation and management of Trust Domains. It is designed to provide an interface to VMM to create, delete +and schedule execution of TDs. + +* __TD Quoting Enclave__ - An Enclave whose role is to generate remote attestation quote for a TD. +It may or may not be provided by Intel, however it is in TCB of the Platform as it is locally +verified by Intel Platform Root of Trust. + +* __Provisioning Certification Enclave (PCE)__ - An Intel provided Enclave which is designed to act as a local, +Certification Authority for local TD Quoting Enclaves (i.e running on the same platform as each other). + +* __Attestation Key(AK)__ - Attestation Key (AK) is the key used to sign the attestation quote generated by TD +Quoting Enclave. The AK is generated by TD Quoting Enclave. The Public part of AK and the TD Quoting +details are provided by TD Quoting Enclave to PCE. This structure is then signed by a device and TCB specific +signing key known as Provisioning Certification Key (PCK), please see below for more details on PCK. + +* __Provisioning Certification Key(PCK)__ - A signing key available to Provisioning Certification Enclave(PCE). +The key is unique to the processor package or platform instance and its TCB (HW and PCE). +The public part of the key is distributed as a PCK Certificate. + +* __Quote__ - A signed data structure used to provide an off-platform entity that an application enclave is +running with Intel SGX/TDX protections on a trusted Intel SGX/TDX enabled platform. + +* __Security Version Number(SVN)__ - Version number of a component that indicates when security-related updates +have been applied to the component. The SVN might not correlate with the functional version of the component. + +* __TDX TCB__ - A set of components that forms the TDX Trusted Computing Base. This includes CPU HW level, +Intel TDX Module Software and Attestation Enclaves, which includes TD Quoting Enclave and PCE. + +* __Family-Model-Stepping-Platform-Custom SKU (FMSPC)__ - Description of the processor package or +platform instance including its Family, Model, Stepping, Platform Type, and Customized SKU (if applicable). + +### Measurement Components of TDX TCB + +Remote Attestation helps a remote provider(also known as relying party) have increased confidence that the +software is running inside a TD, on a genuine, Intel-TDX system, and at a given security level (also known as +TCB version). To achieve this, the following elements are measured + +1. TD Measurements provided by Intel-TDX Module. At TD creation, the Intel TDX-Module is designed to +initialize the measurement registers for the TD. As part of TD creation, the VMM would request the module +to add a set of pages to the TD. The module would then extend a static measurement register (TDMR), with the +measurements of initial pages added to TD alongwith its metadata. It also seeks to provide the TD a set of +run time extendable measurement registers (RTMR) that would be extended by the code in the TD with +measurements of additional code and data at runtime. + +2. SVNs of elements in TDX TCB provided by CPU HW. +Each element of Intel-TDX TCB would be assigned an SVN. A TCB is considered up-to-date if all +components of the TCB have SVNs >= threshold published by the author of the component(s). +For the hardware, these SVNs are known collectively as CPUSVN. The module is designed to be +in the TCB of the TD,and the module's SVN should also be reflected in the attestation. + + +3. Measurement of Intel TDX Module. + +### Attestation Quote Signing + +Attestation Quote for a TD is signed by TD Quoting Enclave using ECDSA Attestation Key (AK). +The Quoting Enclave generates AK. The hash of the public part of AK is included in _reportData_ +field of the Attestation Quote. The AK needs to be certified by an Intel SGX key rooted to platform HW. +For this Intel develops and signs an Enclave known as PCE. The key generated by the PCE is known as PCK key +whose private part (private key) is used to certify(sign) the attestation key. PCK public key, is published +by Intel as an X.509 Certificate format which is known as PCK Cert. + +The AK as well as PCE Certification Data is then embedded in the Attestation Quote, as part of Signature Data. + + +### TDX Quote Data Structure +#### TDX Quote Top Level Structure + +The TDX data structure is known as V4 version of Quote data structure. + +| Name | Size (in Bytes) | Type | Description | +| ------------------ | ------------------------ | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| Quote Header | 48 | Quote Header | Header of Quote data structure. This field is transparent (the user knows its internal structure). Is retained between various Quote versions. | +| | | | | +| Quote Body | 608 | Enclave Report Body | Report of the attested ISV/TD Enclave | +| | | | | +| Signature Data Len | 4 | Integer | Size of the Quote Signature Data structure | +| | | | | +| Signature | Max = 660 | Signature Dependent | Variable-length data containing the signature and supporting data. E.g. ECDSA 256-bit Quote Signature Data Structure | + +#### TDX Quote Header + +| Name | Size (in Bytes) | Type | Description | +| -------------------- | --------------- | ---------- | -------------------------------------------------------------- | +| version | 2 | Integer | The version this quote structure. | +| attestation key type | 2 | Integer | Describes the type of signature in the signature_data[] field. | +| tee type | 4 | Integer | Type of Trusted Execution Environment ( 0 = SGX, 0x81 = TDX) | +| reserved | 4 | Byte Array | | +| vendor id | 16 | UUID | Unique identifier of the QE Vendor. | +| user data | 20 | Byte Array | Custom attestation key owner data. | + +##### TDX Quote Body +| Name | Size (in Bytes) | Type | Description | +| --------------- | --------------- | ----------- | ------------------------------------------------------------------------------------------------------------ | +| TEE_TCB_SVN | 16 | | TEE_TCB_SVN Array | +| MRSEAM | 48 | SHA384_HASH | Measurement of the Intel-TDX(SEAM) module | +| MRSIGNERSEAM | 48 | SHA384_HASH | Measurement of SEAM Module Signer | +| SEAMATTRIBUTES | 8 | BYTE ARRAY | Additional Configuration Attributes for SEAM | +| | | | | +| TD ATTRIBUTES | 8 | BYTE ARRAY | TD's Attributes | +| XFAM | 8 | BIT MASK | A mask of CPU extended features, that the TD is allowed to use | +| MR_TD | 48 | SHA384_HASH | Static measurement of the TD build process and the initial contents of the TD | +| MR_CONFIG_ID | 48 | SHA384_HASH | | +| MR_OWNER | 48 | SHA384_HASH | Software-defined ID for the guest TD’s owner | +| MR_OWNER_CONFIG | 48 | SHA384_HASH | Software-defined ID for non-owner-defined configuration of the guest TD – e.g., run-time or OS configuration | +| RT_MR | 192 | SHA384_HASH | A bank of 4 Registers to measure additional logic and data pertaining to a TD | +| REPORT_DATA | 64 | BYTE ARRAY | TD supplied external data | + + + +##### TDX Quote Signature Structure + +| Name | Size (in Bytes) | Type | Description | +| --------------------- | --------------- | ---------------------- | ---------------------------------------------------------------------------------------------- | +| Report Signature | 64 | ECDSA P-256 Signature | ECDSA signature over the Header and the Enclave Report calculated using ECDSA Attestation Key. | +| ECSA Attestation Key | 64 | ECDSA P-256 Public Key | Public part of the ECDSA Attestation Key generated by the Quoting Enclave. | +| QE Certification Data | Variable | Byte Array | Data required to verify the QE Report Signature | + +* QE Certification Data + +| Name | Size (in Bytes) | Type | Description | +| ------------------ | --------------- | ---- | -------------------------------------------------------------------------------------------------------------------------- | +| Certification Type | 2 | Integer | Determines type of data required to verify the QE Report Signature in the Quote Signature Data structure. Please see below | +| Certification Size | 4 | Integer | Size of Certification Data Field | +| Certification Data | Variable | Byte Array | PCK Leaf Cert/ PCK Cert Chain | + +As of now, only PCK Cert Chain is supported by Intel SGX DCAP Library + +### TDX Trust Anchors and Reference Values Management + +To assist the end-users to build attestation service, Intel has released a set of +[Intel-SGX Data Centre Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives) +for Linux and +[Certificate Retrieval Service](https://api.portal.trustedservices.intel.com/provisioning-certification) +that enables platform owners and users to retrieve certificates for +an Intel SGX/TDX enabled platform. + +**Warning**: We think, the below set of API will need some modification to adjust to the new TDX Quote +Structure (V4) as detailed above. The documentation that follows in this section outlines the general +principle which will be followed to obtain the Trust Anchors and Reference Values for Intel-TDX enabled +platforms. + +- Register Platform: +This API allows to register a multi-package SGX platform. If the registration is successful, then platform +provisioning root keys are stored in the back-end. + +- Download the Provisioning Certificate Root CA Certificate: +Intel Root Certificate can be downloaded from the Intel provided web-site. + +- Download PCK Certificates for a given Platform Manifest: +The Get PCK Certificates API allows requesting PCK Certificates for all configured TCB Levels +for a given platform using the given Platform Identifier or a Platform Manifest + +- Download Certificate Revocation List (CRL) using the Get Revocation List API +Identify the CA that issued the requested CRL. Allowed values are "processor" or "platform" + +- Get TDX TCB information: +Retrieve TDX TCB information for a given FMSPC. The identifier FMSPC can be obtained from the +retrieved PCK Certificate + +The above information for a given Intel platform can be provisioned inside Veraison Store. The +information can be cached and retrieved at the time of Verification to execute the +Verification Algorithm given below. + + +### TDX Quote Verification - Platform + +1. Validating Evidence Integrity + +* Verify the signature on the Quote using the AK supplied in the Quote Signature Structure + +* Extract the PCK Certificate Chain from the supplied Quote + +* Using the AK and PCK Cert Chain from the Quote, Verify that the AK and the Cert Chain is rooted fully to +the root certificate supplied from Intel + +* Verify that none of the certificates in the chain are present in the CRL list for the specific platform + +* Using PCK Certificate obtain the FMSPC Value for the given platform + +2. Comparing Reference Values + +* From the Quote, obtain the PCK Certificate and retrieve FMSPC value (from Certificate) for the given platform. + +* Using FMSPC fetch the TDX TCB Information for the Platform (either cached or invoking the API) + +* Compare all the SGX TCB Comp SVNs retrieved from PCK Certificate(1 to 16) with the corresponding values +of SVNs in sgxtcbcomponents array. If the Certificate SVN Values are greater or equal to the ones +stored in the Endorsement Store, then proceed below. Otherwise move to the next TCB Level in the list. If none of +the TCB Levels are greater then it indicates Verification Failure. + +* Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, move to next verification step, otherwise move to the next item on the TCB Level list. + +* Compare all of the SVNs received in TEE TCB SVN Array retrieved from TD Report in Quote (index 0 to index 15) +with the corresponding values of SVNs in tdxtcbcomponents array of TCB Level. If all TEE TCB SVN in the TD Report are +greater than or equal to the corresponding values in TCB Level, read the status assigned to this TCB Level. +Otherwise move to the next item in the TCB Level List + +* For the selected TCB Level, verify that the SVN at Index 1 inside tdxtcbcomponents array matches the value +of SVN at Index 1, in TEE TCB SV Array (from TD Report, in Quote). In case of mis-match the selected TCB level +should be rejected. + +* If no TCB level matches between the PCK Certificate and TD Report, TCB Level is NOT supported and +Verification is deemed to be failed. + +Please note that currently there is no documentation as to how one can obtain +MRSEAM (Measurement of Intel TDX Module), as part of provisioning. Hence no MRSEAM Comparision +is documented. This may change in future. + +#### TDX Quote Verification - TD Specific + +The TD specific Attestation Verification is specific to given deployment and could +be based on Relying Party Verification Policy. + +### TDX TCB LifeCycle +Once a TDX platform is deployed, the TCB components can be either patched or updated. +This may be required to mitigate specific vulnerability or otherwise addressed by an update +to the platform. The process of updating the platform attestation to reflect the update is called +TCB Recovery. A new attestation key may be created to reflect the update in the platform's +attestation. The new TCB would be reflected in the attestations that occur following the replacement +of the attestation key. + +Intel TDX Architecture has several levels of TCB: + +* CPU HW level +* Intel TDX Module software +* Attestation Enclaves which include TD Quoting Enclave and Provisioning Certification Enclave + +As part of patching, or an update, there are two cases. + +1. Patches/Updates do not require new PCK Certificates + +In this case, existing TCB Level Elements are modified. Issue date and version are updated. +In order for the caller of the Get TDX TCB information API to become aware of the change, +every API call returns a `tcbEvaluationDataNumber`. This is a monotonically increasing +sequence number which changes when Intel updates content of the TCB evaluation data set +(for example TCB Info, QE Identity etc.) This sequence number allows users to easily determine +when a particular TCB Info/QE Identity supesedes another TCB Info/QE Identity. +Caller is expected to retain this number in the database. + +2.Updates that require new PCK Certificates +When a update to a platform needs new PCK Certificate and its chain, Intel regenerates +new PCK Certificates, Inserts New TCB Level Elements, Updates Issue Date and Version + +In both 1 and 2 above, Intel publish Security Announcement (SA) via TCB Recovery Public Disclosure Email +to notify about the new patch/update. + + +### REFERENCES + +1. [Intel-SGX Data Centre Primitives](https://github.com/intel/SGXDataCenterAttestationPrimitives) + +2. [Certificate Retrieval Service](https://api.portal.trustedservices.intel.com/provisioning-certification) + +3. [TDX Whitepaper](https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf) + +4. [Intel® SGX PCK Certificate and Certificate Revocation List Profile Specification](https://api.trustedservices.intel.com/documents/Intel_SGX_PCK_Certificate_CRL_Spec-1.4.pdf) + +5. [intel-tdx-cpu-architectural-specification](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiU9M6E0o7_AhXYhVwKHXKlCNEQFnoECBMQAQ&url=https%3A%2F%2Fcdrdv2-public.intel.com%2F733582%2Fintel-tdx-cpu-architectural-specification.pdf&usg=AOvVaw0yAhhUbeVKKFrIgBy483T1) + +6. [intel-tdx-module-1.5-base-specification](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjN8t6h0o7_AhVKilwKHS3HBdIQFnoECBQQAQ&url=https%3A%2F%2Fcdrdv2-public.intel.com%2F733575%2Fintel-tdx-module-1.5-base-spec-348549002.pdf&usg=AOvVaw34T_omhp-W3zfY38woDIrd) + +7. [intel-tdx-module-abi-specification](https://www.intel.com/content/www/us/en/content-details/733579/intel-tdx-module-v1-5-abi-specification.html) + +8. [ECDSA Quote Library API](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf) + +9. [Intel SGX DCAP Orientation Guide](https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/DCAP_ECDSA_Orientation.pdf) \ No newline at end of file