Internet-Draft TDX EAT profile December 2024
Kostal, et al. Expires 16 June 2025 [Page]
Workgroup:
Remote ATtestation ProcedureS
Internet-Draft:
draft-kdyxy-rats-tdx-eat-profile-02
Published:
Intended Status:
Informational
Expires:
Authors:
G. Kostal
Microsoft
S. Dittakavi
Microsoft
R. Yeluri
Intel
H. Xia
Intel
J. Yu
Intel

EAT profile for Intel® Trust Domain Extensions (TDX) attestation result

Abstract

Intel® Trust Domain Extensions (TDX) introduce architectural elements designed for the deployment of hardware-isolated virtual machines (VMs) known as trust domains (TDs). TDX is designed to provide a secure and isolated environment for running sensitive workloads or applications. This Entity Attestation Token (EAT) profile outlines claims for an Intel TDX attestation result which facilitate the establishment of trust between a relying party and the environment.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 16 June 2025.

Table of Contents

1. Introduction

This profile outlines claims for an Intel® Trust Domain Extensions [TDX] attestation result, generated as an Entity Attestation Token [EAT] in a signed JSON Web Token [JWT] format using JOSE header. It doesn't contain nested tokens or a detached EAT bundle. The profile allows signing of the JWT token using RSA cryptographic algorithm. To facilitate verification of the signed JWT tokens, the verifier can expose the trusted token signing certificates using an OpenID metadata endpoint. In accordance with the standards outlined in the JSON Web Signature [JWS] specification, the receiver of the profile can use the certificate with key ID (kid) matching the kid parameter in the attestation token header for performing signature verification.

2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. TDX profile claims

This profile encompasses claims from the IETF JWT specification, the EAT specification and Intel's TDX specification.

3.1. JWT claims

The complete definitions of the following claims are available in the [JWT] specification.

iat
The "iat" (issued at) claim identifies the time at which the JWT was issued.
exp
The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
iss
The "iss" (issuer) claim identifies the principal that issued the JWT.
jti
The "jti" (JWT ID) claim provides a unique identifier for the JWT.
nbf
The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.

3.2. EAT claims

The complete definitions of the following claims are available in the [EAT] specification.

eat_profile
The "eat_profile" claim identifies an EAT profile by either a URL or an OID.
dbgstat
The "dbgstat" claim applies to entity-wide or submodule-wide debug facilities of the entity like [JTAG] and diagnostic hardware built into chips.
intuse
The "intuse" claim provides an indication to an EAT consumer about the intended usage of the token.
eat_nonce
An EAT nonce is either a byte or text string or an array of byte or text strings. The array option supports multistage EAT verification and consumption.

3.3. TDX claims

The complete definitions of the following claims are available in section A.3.2 TD Quote Body of [TDX-DCAP-Quoting-Library].

tdx_mrsignerseam
A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the TDX module signer.
tdx_mrseam
A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the TDX module.
tdx_mrtd
A 96-character hexadecimal string that represents a byte array of length 48 containing the measurement of the initial contents of the TDX.
tdx_rtmr0
A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr1
A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr2
A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_rtmr3
A 96-character hexadecimal string that represents a byte array of length 48 containing the runtime extendable measurement register.
tdx_mrconfigid
A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for non-owner-defined configuration of the TDX, e.g., runtime or Operating System (OS) configuration.
tdx_mrowner
A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for the TDX's owner.
tdx_mrownerconfig
A 96-character hexadecimal string that represents a byte array of length 48 containing the software-defined ID for owner-defined configuration of the TDX, e.g., specific to the workload rather than the runtime or OS.
tdx_report_data
A 128-character hexadecimal string that represents a byte array of length 64. In this context, the TDX has the flexibility to include 64 bytes of custom data in a TDX Report. For instance, this space can be used to hold a nonce, a public key, or a hash of a larger block of data.
tdx_seam_attributes
A 16 character hexadecimal string that represents a byte array of length 8 containing additional configuration of the TDX module.
tdx_tee_tcb_svn
A 32 character hexadecimal string that represents a byte array of length 16 describing Trusted Computing Base (TCB) Security Version Numbers (SVNs) of the TDX.
tdx_xfam
A 16 character hexadecimal string that represents a byte array of length 8 containing a mask of CPU extended features that the TDX is allowed to use.
tdx_seamsvn
A number represents the Intel TDX module SVN, which is represented with the first 2 bytes of the TEE_TCB_SVN byte array.
tdx_td_attributes
A 16 character hexadecimal string that represents a byte array of length 8. These are the attributes associated with the Trust Domain (TD). The complete definitions of the claims mentioned below are available in section A.3.4. TD Attributes of [TDX-DCAP-Quoting-Library].
tdx_td_attributes_debug
A boolean value that indicates whether the TD runs in TD debug mode (set to 1) or not (set to 0). In TD debug mode, the CPU state and private memory are accessible by the host VMM.
tdx_td_attributes_key_locker
A boolean value that indicates whether the TD is allowed to use Key Locker.
tdx_td_attributes_perfmon
A boolean value that indicates whether the TD is allowed to use Perfmon and PERF_METRICS capabilities.
tdx_td_attributes_protection_keys
A boolean value that indicates whether the TD is allowed to use Supervisor Protection Keys.
tdx_td_attributes_septve_disable
A boolean value that determines whether to disable EPT violation conversion to #VE on TD access of PENDING pages.

3.4. Attester claims

attester_advisory_ids
Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of tcbStatus of the platform TCB level being evaluated. See advisoryIDs in [TDX-API-Portal].
attester_tcb_status
A string value that represents the TCB level status of the platform being evaluated. See tcbStatus in [TDX-API-Portal].

4. Profiles

This document defines a baseline with common requirements that all TDX profiles must satisfy.

4.1. Baseline Profile

4.1.1. Token Encoding and Signing

The TDX attestation token is encoded in signed JSON Web Token [JWT] format.

Cryptographic protection is obtained by encapsulating the TDX attestation token claims-set in JWT which is built on top of the IETF JOSE standard.

Acknowledging the variety of markets, regulations and use cases in which the TDX attestation token can be used, the baseline profile does not impose any strong requirement on the cryptographic algorithms that need to be supported by verifiers and relying parties. The flexibility provided by the JOSE format should be sufficient to deal with the level of cryptographic agility needed to adapt to specific use cases. It is RECOMMENDED that commonly adopted algorithms are used, such as those discussed in [JOSE-ALGS]. It is expected that relying parties will accept a wider range of algorithms, while verifiers would produce TDX tokens using only one such algorithm.

As an attestation result format, a TDX token is always directly signed by the TDX verifier. Therefore, a TDX claims-set is never carried in a Detached EAT bundle.

4.1.2. Freshness Model

The TDX Token supports freshness models for attestation evidence based on nonces (Section 10.2 of [RATS-Architecture]) using the eat_nonce claim. No further assumption on the specific remote attestation protocol is made.

4.1.3. Synopsis

Table below presents a concise view of the requirements described in the preceding sections.

Table 1: Baseline Profile
Issue Profile Definition
CBOR/JSON JSON MUST be used
JOSE Protection TDX profile produces signed JWT
Algorithms [JOSE-ALGS] should be used
Detached EAT Bundle Usage Detached EAT bundles MUST NOT be sent
Verification Key Identification JWS Key ID method as listed in Section F.1.1 in [EAT]
Freshness eat_nonce
Claims Those defined in Section 3 of this document

5. IANA Considerations

5.1. JWT claims registered by this document

This specification adds the following values to the "JSON Web Token Claims" registry established by the JWT specification

IANA is requested to register the following claims.

-----------------------------------------------

Claim Name: tdx_mrsignerseam

Claim Description: TDX module signer

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_mrseam

Claim Description: Measurement of the TDX module

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_mrtd

Claim Description: Measurement of the TDX initial contents

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_rtmr0

Claim Description: Runtime extendable measurement register

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_rtmr1

Claim Description: Runtime extendable measurement register

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_rtmr2

Claim Description: Runtime extendable measurement register

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_rtmr3

Claim Description: Runtime extendable measurement register

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_mrconfigid

Claim Description: Software-defined ID for non-owner-defined configuration of the TDX

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_mrowner

Claim Description: Software-defined ID for the TDX's owner

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_mrownerconfig

Claim Description: Software-defined ID for owner-defined configuration of the TDX

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_report_data

Claim Description: Custom data in the TDX Report

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_seam_attributes

Claim Description: Additional configuration of the TDX module

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_tee_tcb_svn

Claim Description: Trusted Computing Base (TCB) Security Version Numbers (SVNs) of the TDX

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_xfam

Claim Description: Mask of CPU extended features that the TDX is allowed to use

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_seamsvn

Claim Description: The TDX module Security Version Number (SVN)

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes

Claim Description: Attributes associated with the Trust Domain (TD)

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes_debug

Claim Description: Indicates whether the TD runs in TD debug mode (set to 1) or not (set to 0)

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes_key_locker

Claim Description: Indicates whether the TD is allowed to use Key Locker

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes_perfmon

Claim Description: Indicates whether the TD is allowed to use Perfmon and PERF_METRICS capabilities

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes_protection_keys

Claim Description: Indicates whether the TD is allowed to use Supervisor Protection Keys

Specification Document(s): This document

-----------------------------------------------

Claim Name: tdx_td_attributes_septve_disable

Claim Description: Determines whether to disable EPT violation conversion to #VE on TD access of PENDING pages

Specification Document(s): This document

-----------------------------------------------

Claim Name: attester_advisory_ids

Claim Description: Intel security advisories that provide insight into the reason(s) for the value of tcbStatus of the platform TCB level being evaluated

Specification Document(s): This document

-----------------------------------------------

Claim Name: attester_tcb_status

Claim Description: TCB level status of the platform being evaluated

Specification Document(s): This document

-----------------------------------------------

6. Security Considerations

This specification re-uses the EAT and JWT specifications. Hence, the security and privacy considerations of those specifications apply here as well.

Additionally, the security considerations as described in [TDX-Security-Guidance] apply here too.

7. References

7.1. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[EAT]
Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", , <https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat>.
[JWT]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", , <https://datatracker.ietf.org/doc/html/rfc7519>.
[JWS]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", , <https://datatracker.ietf.org/doc/html/rfc7515>.
[TDX]
Intel, "Intel® Trust Domain Extensions", , <https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html>.
[TDX-API-Portal]
Intel, "Intel® SGX and Intel® TDX Registration Service for Scalable Platforms", , <https://api.portal.trustedservices.intel.com/content/documentation.html>.
[TDX-DCAP-Quoting-Library]
Intel, "Intel® Trust Domain Extensions Data Center Attestation Primitives (Intel® TDX DCAP): Quote Generation Library and Quote Verification Library", , <https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf>.
[RATS-Architecture]
Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote ATtestation procedureS (RATS) Architecture", , <https://www.rfc-editor.org/rfc/rfc9334>.
[JOSE-ALGS]
Jones, M., "JSON Web Algorithms (JWA)", , <https://datatracker.ietf.org/doc/html/rfc7518>.

7.2. Informative References

[JTAG]
"IEEE Standard for Reduced-Pin and Enhanced-Functionality Test Access Port and Boundary-Scan Architecture", , <https://ieeexplore.ieee.org/document/5412866>.
[MAA]
Microsoft, "Microsoft Azure Attestation", , <https://learn.microsoft.com/en-us/azure/attestation/overview>.
[ITA]
Intel, "Intel® Trust Authority", , <https://www.intel.com/content/www/us/en/security/trust-authority.html>.
[MAA-EAT-Profile]
Microsoft, "EAT profile of Microsoft Azure Attestation", , <https://learn.microsoft.com/en-us/azure/attestation/trust-domain-extensions-eat-profile>.
[ITA-EAT-Profile]
Intel, "EAT profile of Intel® Trust Authority", , <https://portal.trustauthority.intel.com/eat_profile.html>.
[TDX-Security-Guidance]
Intel, "Intel TDX Security Guidance", , <https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/documentation.html#security-guidance>.

Appendix A. Examples

A.1. TDX attestation token by Intel® Trust Authority

Below is a sample TDX attestation token generated by Intel® Trust Authority [ITA] which includes claims from this EAT profile. The definitions of the token claims can be found in [ITA-EAT-Profile].

      {
  "alg": "PS384",
  "jku": "https://portal.trustauthority.intel.com/certs"
,
  "kid": "1881f519948621f7aeb538a8a5896bb3fb7c271c3522081c5dd7af1a683bac
          f6d90a63e82ade85c00321781591dfdf3d",
  "typ": "JWT"
}.{
  "tdx_tee_tcb_svn": "02010600000000000000000000000000",
  "tdx_mrseam": "360304d34a16aace0a18e09ad2d07d2b9fd3c174378e5bf10838807
          9827f89ff62acc5f8c473dd40706324834e202946",
  "tdx_mrsignerseam": "000000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000000000",
  "tdx_seam_attributes": "0000000000000000",
  "tdx_td_attributes": "0000000000000000",
  "tdx_xfam": "e718060000000000",
  "tdx_mrtd": "75f3acc2e1dfc3acf404d7eaa69a2eefcd0475a0dd6516ef5ba3cb8
          3399c61b4aa1c638e3622bb650a514bfc6e858886",
  "tdx_mrconfigid": "0000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000000",
  "tdx_mrowner": "0000000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000",
  "tdx_mrownerconfig": "0000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000000000",
  "tdx_rtmr0": "000000000000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000",
  "tdx_rtmr1": "000000000000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000",
  "tdx_rtmr2": "000000000000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000",
  "tdx_rtmr3": "000000000000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000",
  "tdx_report_data": "7e3b88c09ed42bad38c146f542fbee862411878fa33a3fdf
          bffd2ad549db279200000000000000000000000000000000000000000000
          00000000000000000000",
  "tdx_seamsvn": 2,
  "tdx_td_attributes_debug": false,
  "tdx_td_attributes_septve_disable": false,
  "tdx_td_attributes_protection_keys": false,
  "tdx_td_attributes_key_locker": false,
  "tdx_td_attributes_perfmon": false,
  "tdx_is_debuggable": false,
  "tdx_collateral": {
    "qeidcerthash": "b2ca71b8e849d5e799451b4bfe43159a0ee548032cecb2c0e4
          79bf6ee3f39fd1",
    "qeidcrlhash": "f454dc1b9bd4ce36c04241e2c8c37a2ae26b077f2c66b919843
          365318a59332c",
    "qeidhash": "665b5e4a8c34c24935448629894302b0bc8a054f25e43333021dd8
          c93e9211be",
    "quotehash": "be3de7edd324a21cb73f8ba3d8ea5bd704bd27809dd6f0c8de152
          5511845389c",
    "tcbinfocerthash": "b2ca71b8e849d5e799451b4bfe43159a0ee548032cecb2c
          0e479bf6ee3f39fd1",
    "tcbinfocrlhash": "f454dc1b9bd4ce36c04241e2c8c37a2ae26b077f2c66b919
          843365318a59332c",
    "tcbinfohash": "7c2b91b9aaaf0a9823f17bb6b31403fffee7fe0b658b41d9e80
          2c6de8569096d"
  },
  "attester_runtime_data": {
     "test-claim-name": "test-claim-value"
  },
  "policy_ids_matched": [
    {
      "id": "094f9b2d-5477-4607-8a5f-bd33388c60c7",
      "version": "v4"
    }
  ],
  "attester_tcb_status": "UpToDate",
  "attester_type": "TDX",
  "verifier_instance_ids": [
    "64edd3d8-be70-4d03-9cb5-e5575107c87d",
    "56b8f9df-f6c5-4302-8142-321985f269c4",
    "5f6d8e1e-288a-409e-ad3f-3670f00a426c",
    "c82f8048-ea8b-4407-9365-3990bb646e3e"
  ],
  "dbgstat": "disabled",
  "eat_profile": "https://portal.trustauthority.intel.com/eat_profile"
,
  "intuse": "generic",
  "ver": "1.0.0",
  "exp": 1696973571,
  "jti": "ac2ca0de-e271-4878-a56f-59e5e6b8c328",
  "iat": 1696973271,
  "iss": "Intel Trust Authority",
  "nbf": 1696973271
}

A.2. TDX attestation token by Microsoft Azure Attestation

Below is a sample TDX attestation token generated by Microsoft Azure Attestation [MAA] which includes claims from this EAT profile. The definitions of the token claims can be found in [MAA-EAT-Profile].

  {
   "attester_tcb_status": "UpToDate",
   "dbgstat": "disabled",
   "eat_profile": "https://aka.ms/maa-eat-profile-tdxvm",
   "exp": 1697600807,
   "iat": 1697572007,
   "intuse": "generic",
   "iss": "https://maasand001.eus.attest.azure.net",
   "jti": "fb5021d13a90f5b3f5642b30d8103715c8d76ee05c9062923a04af35d0
          347ade",
   "nbf": 1697572007,
   "tdx_mrconfigid": "00000000000000000000000000000000000000000000000
          0000000000000000000000000000000000000000000000000",
   "tdx_mrowner": "00000000000000000000000000000000000000000000000000
          0000000000000000000000000000000000000000000000",
   "tdx_mrownerconfig": "00000000000000000000000000000000000000000000
          0000000000000000000000000000000000000000000000000000",
   "tdx_mrseam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865
          b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656",
   "tdx_mrsignerseam": "000000000000000000000000000000000000000000000
          000000000000000000000000000000000000000000000000000",
   "tdx_mrtd": "5be56d418d33661a6c21da77c9503a07e430b35eb92a0bd042a6b
          3c4e79b3c82bb1c594e770d0d129a0724669f1e953f",
   "tdx_report_data": "93c6db49f2318387bcebdad0275e206725d948f9000d90
          0344aa44abaef1459600000000000000000000000000000000000000000
          00000000000000000000000",
   "tdx_rtmr0": "0000000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000",
   "tdx_rtmr1": "0000000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000",
   "tdx_rtmr2": "0000000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000",
   "tdx_rtmr3": "0000000000000000000000000000000000000000000000000000
          00000000000000000000000000000000000000000000",
   "tdx_seam_attributes": "0000000000000000",
   "tdx_seamsvn": 3,
   "tdx_td_attributes": "0000000000000000",
   "tdx_td_attributes_debug": false,
   "tdx_td_attributes_key_locker": false,
   "tdx_td_attributes_perfmon": false,
   "tdx_td_attributes_protection_keys": false,
   "tdx_td_attributes_septve_disable": false,
   "tdx_tee_tcb_svn": "03000600000000000000000000000000",
   "tdx_xfam": "e718060000000000",
   "x-ms-attestation-type": "tdxvm",
   "x-ms-compliance-status": "azure-compliant-cvm",
   "x-ms-policy-hash": "B56nbp5slhw66peoRYkpdq1WykMkEworvdol08hnMXE",
   "x-ms-runtime": {
      "test-claim-name": "test-claim-value"
   },
   "x-ms-ver": "1.0"
}

Acknowledgements

Thanks to Dave Thaler for offering guidance in drafting and publishing the profile.

Authors' Addresses

Greg Kostal
Microsoft
Sindhuri Dittakavi
Microsoft
Raghuram Yeluri
Intel
Haidong Xia
Intel
Jerry Yu
Intel