Trust Domain at Runtime

On this page, we provide instructions on topics concerning a Trust Domain (TD) at runtime.

Perform Remote Attestation

As explained in the TDX remote attestation section of the Infrastructure Setup page, remote attestation is one of the main features of Intel TDX.

In this section, we assume that your infrastructure provider has done the necessary setup steps. This includes the setup of a collateral caching service in the infrastructure; a Quote Generation Service (QGS) is running on the same host as the TD; and a communication channel between the QGS and the TD was configured on TD start.

Based on this assumption, we explain how to configure the communication channel between the TD and the QGS from inside the TD. Then, we show how TD Quotes can be generated, which always has to happen inside a TD.

We also describe how generated TD Quotes can be verified to close the loop. TD Quote Verification can be done by any party at any place. Examples:

• Inside the TD by the TD owner.
• In the host OS by the host OS owner.
• On any remote platform by the owner of the remote platform.

Note that there are multiple TD Quote Verification alternatives.

Configure TD to QGS Communication Channel

Inside the TD, create the file /etc/tdx-attest.conf file as root defining the vsock port that is for the communication between TD and QGS. The following command can be used to create and fill the file:

sudo tee -a /etc/tdx-attest.conf > /dev/null <<EOT
port=4050
EOT

TD Quote Generation

TD Quote Generation must always happen inside the TD. There are multiple ways to generate a TD Quote. In the following, we explore how TD Quote Generation can be tested using the TDX Quote Generation Sample.

Steps:

1. Setup the appropriate Intel SGX package repository for your distribution of choice (if not done during another component installation):

   Red Hat Enterprise Linux 9.4 KVMUbuntu 23.10openSUSE Leap 15.5 or SUSE Linux Enterprise Server 15-SP5

   sudo dnf install -y yum-utils wget
   sudo mkdir /opt/intel
   cd /opt/intel
   sudo wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/rhel9.2-server/sgx_rpm_local_repo.tgz
   sudo tar xvf sgx_rpm_local_repo.tgz
   sudo yum-config-manager --add-repo file:///opt/intel/sgx_rpm_local_repo
   

   echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu mantic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
   wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
   sudo mkdir -p /etc/apt/keyrings
   cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
   sudo apt-get update
   

   sudo mkdir /opt/intel
   cd /opt/intel
   sudo wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/suse15.4-server/sgx_rpm_local_repo.tgz
   sudo tar xvf sgx_rpm_local_repo.tgz
   sudo zypper addrepo /opt/intel/sgx_rpm_local_repo sgx_rpm_local_repo
   

2. Execute the following commands to install and run the sample application generating a TD Quote:

   Red Hat Enterprise Linux 9.4 KVMUbuntu 23.10openSUSE Leap 15.5 or SUSE Linux Enterprise Server 15-SP5

   sudo dnf install -y gcc make
   sudo dnf --nogpgcheck install -y libtdx-attest libtdx-attest-devel
   cd /opt/intel/tdx-quote-generation-sample/
   make
   ./test_tdx_attest
   

   sudo apt install -y libtdx-attest libtdx-attest-dev
   cd /opt/intel/tdx-quote-generation-sample/
   make
   ./test_tdx_attest
   

   sudo zypper --no-gpg-checks install -y libtdx-attest libtdx-attest-devel
   cd /opt/intel/tdx-quote-generation-sample/
   make
   ./test_tdx_attest
   

   If successful, a TD Quote will be written to disk in a quote.dat file. This quote.dat file can now be verified as described in the next section.

TD Quote Verification

TD Quote Verification can be done by any party at an arbitrary place. There are multiple TD Quote Verification alternatives. In the following, we explore how TD Quote Verification can be tested using the Quote Verification Sample application deployed in the host OS.

Steps:

1. Copy the TD Quote file (e.g., quote.dat) to the host OS. Use a tool of your choice for this operation. Possible commands using scp or virt-copy-out:

   scpvirt-copy-out

   Note

   SSH access to your TD is necessary for this approach.

   Adjust the following command to your environment and use it to copy the file:

   scp -p <TD SSH port> <TD user>@<TD IP>:<guest-path-to>/quote.dat <host_directory>/.
   

   Example command:

   scp -P 10022 root@localhost:/opt/intel/tdx-quote-generation-sample/quote.dat ~/quote.dat
   

   Note

   Host OS access is necessary for this approach.

   Terminate TD. Then, adjust the following command to your environment and use it to copy the file:

   virt-copy-out -a <image_path> <guest-path-to>/quote.dat <host_directory>
   

   Example command:

   virt-copy-out -a ~/tdx/guest-tools/image/tdx-guest-ubuntu-23.10.qcow2 /opt/intel/tdx-quote-generation-sample/quote.dat ~
   

2. Setup the appropriate Intel SGX package repository for your distribution of choice (if not done during another component installation):

   CentOS Stream 9Ubuntu 23.10openSUSE Leap 15.5 or SUSE Linux Enterprise Server 15-SP5

   sudo dnf install -y wget yum-utils
   sudo mkdir /opt/intel
   cd /opt/intel
   sudo wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/centos-stream9/sgx_rpm_local_repo.tgz
   sudo tar xvf sgx_rpm_local_repo.tgz
   sudo yum-config-manager --add-repo file:///opt/intel/sgx_rpm_local_repo
   

   echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu mantic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
   wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
   sudo mkdir -p /etc/apt/keyrings
   cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
   sudo apt-get update
   

   sudo mkdir /opt/intel
   cd /opt/intel
   sudo wget https://download.01.org/intel-sgx/latest/dcap-latest/linux/distro/suse15.4-server/sgx_rpm_local_repo.tgz
   sudo tar xvf sgx_rpm_local_repo.tgz
   sudo zypper addrepo /opt/intel/sgx_rpm_local_repo sgx_rpm_local_repo
   

3. Execute the following command to install the dependencies for the Quote Verification Sample application, retrieve the application, build the application, and use the application to verify the TD Quote (i.e., quote.dat):

   CentOS Stream 9Ubuntu 23.10openSUSE Leap 15.5 or SUSE Linux Enterprise Server 15-SP5

   sudo dnf install -y gcc make
   sudo dnf --nogpgcheck install -y libsgx-enclave-common-devel libsgx-dcap-quote-verify-devel libsgx-dcap-default-qpl-devel
   cd ~
   git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
   cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample
   make QVL_ONLY=1
   ./app -quote ~/quote.dat
   

   sudo apt install -y libsgx-enclave-common-dev libsgx-dcap-quote-verify-dev libsgx-dcap-default-qpl-dev
   git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
   cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample
   make QVL_ONLY=1
   ./app -quote ~/quote.dat
   

   sudo zypper --no-gpg-checks install -y libsgx-enclave-common-devel libsgx-dcap-quote-verify-devel libsgx-dcap-default-qpl-devel
   cd ~
   git clone https://github.com/intel/SGXDataCenterAttestationPrimitives.git
   cd SGXDataCenterAttestationPrimitives/SampleCode/QuoteVerificationSample
   make QVL_ONLY=1
   ./app -quote ~/quote.dat
   

   If TD Quote Verification is successful, the output contains Verification completed successfully.