fix(verify): offline DCAP TDX quote verification (cmcp#370)#387
Draft
imran-siddique wants to merge 1 commit into
Draft
fix(verify): offline DCAP TDX quote verification (cmcp#370)#387imran-siddique wants to merge 1 commit into
imran-siddique wants to merge 1 commit into
Conversation
Adds fail-closed, offline verification of an Intel TDX ECDSA v4 quote: 1. quote signature over header+TD-report-body by the attestation key, 2. attestation key bound into the QE report_data (SHA-256), 3. QE report signed by the PCK leaf, 4. PCK chain verified to a caller-pinned Intel SGX root. The PCK chain travels inside the quote, so no network at verify time. TCB status and QE identity need Intel PCS collateral by FMSPC and are left in unverified_fields (this is not a full TCB appraisal). verify_tdx_measurement gains optional raw_quote + trusted_intel_root_pem params; when supplied it runs verify_tdx_quote and fails closed. Quote-layout offsets are per the DCAP v4 spec and are exercised end to end by a synthetic-quote test; a skipped test pins them (and the report_data offset for #371) against a real Azure TDX fixture (capture-tdx-azure.sh). Wiring the quote + pinned root through verify_trace_claim is deferred to avoid colliding with the SNP PR (#386) signature change; done once #386 and the real fixture land. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft. TDX counterpart to the SNP work in #386, ready to validate the moment an Azure TDX quote fixture lands.
What this does (offline, fail-closed)
verify_tdx_quote()verifies: quote signature over header+body by the attestation key; the attestation key is bound into the QE report_data; the QE report is signed by the PCK leaf; and the PCK chain verifies to a caller-pinned Intel SGX root. PCK chain travels inside the quote, so no network at verify time.verify_tdx_measurementgains optionalraw_quote+trusted_intel_root_pemand fails closed when they are supplied.Honestly not done here
unverified_fields; this is not a full TCB appraisal.Product/Platform/attestation-capture/capture-tdx-azure.sh); that test also confirms the report_data offset for security: make cnf.jwk<->report_data binding fatal for SEV-SNP/TDX; fix TDX report_data offset #371.raw_quote/trusted_intel_root_pemthroughverify_trace_claimis deferred to avoid conflicting with fix(verify): verify SNP report signature + VCEK chain (cmcp#370) #386's signature change.Tests
tests/unit/test_tdx_quote_verify.py: 4 pass (valid verifies; tampered quote sig fails closed; wrong pinned root fails closed; report_data mismatch fails), 1 skipped pending the real Azure TDX fixture.