Intel SGX Attestation Service Utilizing EPID

The Attestation API exposed by the Intel® SGX attestation service is a programming interface for service providers to verify attestation evidence of SGX enabled enclaves. View the Intel SGX EPID API Specification.

Intel plans to end of life (EOL) this service April 2, 2025. This would include all active API versions. Please factor this into your engagement plans (reference this link for additional details and Intel-offered attestation alternatives). As previously planned and communicated, Intel has limited access to the IAS Development (DEV) environment as of September 29, 2024.

Download the Attestation Report Root CA Certificate here:
DER PEM

Intel® SGX and Intel® TDX Registration Service for Scalable Platforms

The API exposed by the Intel® SGX registration service allows to register an Intel(R) SGX platform with multiple processor packages as a single platform instance which can be later on remotely attested as a single entity.

The minimum version of the TLS protocol supported by the service is 1.2 - any connection attempts with previous versions of TLS/SSL will be dropped by the server.

Register Platform

This API allows to register multi-package SGX platform (includes initial registration and TCB Recovery). As part of the registration, the platform manifest is authenticated by the Registration Service as originating from a genuine, non-revoked SGX platform. If the platform configuration is verified successfully, platform provisioning root keys are stored in the backend.

Stored platform provisioning root keys are later used to derive public parts of Provisioning Certification Keys (PCKs) that are distributed in the form of x.509 certificates by the Provisioning Certification Service for Intel® SGX. PCK certificates are used during remote attestation of the platform.

POST https://api.trustedservices.intel.com/sgx/registration/v1/platform

Request

Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).
Name Required Value Description
Content-Type True application/octet-stream MIME type of the request body.
Body

Binary representation of Platform Manifest structure - an opaque blob that represents a registration manifest for multi-package platform. It contains platform provisioning root keys established by given platform instance and data required to authenticate the platform as a genuine, non-revoked SGX platform.

Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @platform_manifest -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"

Response

Model

Hex-encoded representation of PPID for the registered platform instance (only if HTTP Status Code is 201, empty body otherwise).

Example Response
00112233445566778899AABBCCDDEEFF
Status Codes
Status Code Headers Body Description
201

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Hex-encoded representation of PPID for the registered platform instance.

Operation successful (new platform instance registered). A new platform instance has been registered in the backend.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Error-Code and Error-Message:

  • InvalidRequestSyntax - The request could not be understood by the server due to malformed syntax.
  • InvalidRegistrationServer - The request was rejected by the server as it is intended to be processed by a different instance of Registration Server (Registration Server Authentication Key mismatch).
  • InvalidOrRevokedPackage - The request was rejected by the server due to invalid or revoked processor package.
  • PackageNotFound - The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
  • IncompatiblePackage - The request was rejected by the server as at least one of the processor packages is incompatible with rest of the processor packages forming the platform.
  • InvalidPlatformManifest - The request was rejected by the server due to invalid platform configuration.
  • CachedKeysPolicyViolation - The request was rejected due to a different policy for keys caching being set for this Platform Instance.

Invalid Platform Manifest. The client should not repeat the request without modifications.

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and ErrorMessage.

415

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

MIME type specified in the request is not supported by the server.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request. The client should try to repeat its request after some time.

Add Package

Subscription Required

Add new package(s) to an already registered platform instance. If the request is successful, a Platform Membership Certificate is generated for each processor package in Add Request.

POST https://api.trustedservices.intel.com/sgx/registration/v1/package

Request

Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).
Name Required Value Description
Ocp-Apim-Subscription-Key True Subscription key which provides access to this API. It can be found in your Profile.
Content-Type True application/octet-stream MIME type of the request body.
Body

Binary representation of Add Request structure - an opaque blob that represents a request for adding new processors packages to an existing platform instance.

Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @add_package -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/package" -H "Ocp-Apim-Subscription-Key: {subscription key}"

Response

Model

In case of 200 HTTP Status Code: Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other.
Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed.

Example Response (hex-encoded)
EBBD00C0EF904910A480F772E7355DB4C90401000000000000000000000000000348E55FE5BB604086B7CFBF7BD00235A1A492C64BDC948CB
35B4D48404BE3CAC68090F19E5D4B985136D9A160B04425B9B709CCD8D46F024EB65330E781312B74D5D1A8BD8F0BCBB9041530E022F24B4B
C9AF1E45F551956633494D924DDC81E546085A340B5D1F58E5BD5726E87238715FDF8133CA1DC4E1304550C1956143932817207F3697DB9C5
A35433FD573CFA4C8494C8C1536E4046CC3507304E5A557A31F7576EE10DC3E2626996EC014CC990AE2CC69095CE933C283FC3A3FB5F02139
BD700FBCB5C1715031F3A810A097479A82D02A38CB7071E72D73DF4B31E9E236E96164DCD175ACBCD68E7EF34FF0EDEF1A28F5B9558A3E90D
662A21A1055F2FEA1D54F4BF3D464EBB02AF1EDD3270F06B64F651CBE06C34E345BFB6BF8FC67B6FE83A697A890EF946C285261D6458F4C7B
18CCAC29841574A7EC62427642FDE7E862C3C387786429B4F3CE7D9509CB7115DAF6E68F0DE426ACF3B87FB3CCC3B3ED33853F8EBC6D3AE82
4471087F5EB3A2EA43F137D6D184D16420042A5C274E22C2846B570D8277E5DCB2EAF285C0DE53F4260B22CBCD63BA07C47861E799A8D18BF
496BC3F89BE7BEB28A2EBD34DA41486B2A183AB568251D2FDC0DEFD88701000100CB0C25CAFDB9C17FC17C6E5F6496EF7276382CAF199CB5B
B3CE3186DE3F35552ED3717ACCB87757126634AF6A3254ADEEDA46C34C1EEA4356A2FD412B07CE57F263749BD5B3D9BA2ED51DBBAED9C9DA1
104EAD2D31432DC19B04E782DB75C616850C2E86DB5390CE946272DD6C7A885D39407A1BCC719C3D05A36BA29FD85A670BCD26B8B943B5B6D
F92FE21AE5935413DC3F1DA53B79DD0730ABB7DF255C895A578F83290F4956DD50F2E367FEF47886EF24A74792C45BE1FA5C2FFC34A47C012
F47BE52FB9635532983CBA4563AB517BB36A6951AE64ABA71919DD8E83A974645A785A2FB889F6DC056DAED2B11F1FDC979E811DBB519DA7C
9154A6584036A44C6E226E1EB8612D1EDA68D242C2E25B64474442F78C4D729AF021790E385794701E7840BECE4833BB58565D36488B8A44A
D9CBF9745D9C28A02108BF24A758B224964ABDEFD01941DB82E5141E39C43D8AA5CA48502813BB7E04173C36C67086B036162EAE860C6DA7F
4688C9699A29A5B72914F225308002BC00EE571C0A201000100A33178AD01C653A70C05C83203C2285A6FD93B64E379421F47086B841C682D
9D0F6BC2AC11FE3C6D01ADF99BBD6F46C9A77F5C79EFBDB17D65E671ACB4FD8800B8E481CE680D7450EE7BC19B429648B7B44A5D550FFB41B
F8B393D1C3729F7AF7549EEA0661EBF9B0895B9DAFFB3A41E29B119E409A2E31B8BE30D7A714C79976BA9A8051322C12B281F40A3003995E9
756134B803DEC923BF984776F966564F71CCA014C63DF6EC4277B3C0A690EC8FFFD89B5FC9A63DF37B902A4D25F17A55886D0E441318E9905
B2DC0D1B2BF4562D610E234FF829424926F10FB1F60371E7E433E84B854B094A5C7321ADFEBBF934FB3271515A62D441421D7ED96D46B68A2
FAAACC045FFC8E0DA9D17C5DEBE217C762F23AD6AC3FBE7E7E71BB5228A5D6F5C098C509D975E8FE15EE8FDA956D3334BDC1CFE428DC0E8F9
C799831094346A45F4C4D1B961BFC07A4FBC89DEA759DA92447B2026B49B8A7BE428F58051A8C08DFE6B82FBE7457DCFD45A45FDD7C2477CC
CDA8FFF760AA0F126B7F0ED58E510000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
...
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Status Codes
Status Code Headers Body Description
200

Content-Type - MIME type of the response body. Value is "application/octet-stream".

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Certificate-Count - Number of Platform Membership Certificates returned in response body.

Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other. Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed.

Operation successful. Packages have been added to an existing platform instance.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Error-Code and Error-Message:

  • InvalidRequestSyntax - The request could not be understood by the server due to malformed syntax.
  • PlatformNotFound - The request was rejected by the server as provided platform instance is not recognized by the server.
  • InvalidOrRevokedPackage - The request was rejected by the server due to invalid or revoked processor package.
  • PackageNotFound - The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
  • InvalidAddRequest - The request was rejected by the server as the AddRequest was invalid.

Invalid Add Request Payload. The client should not repeat the request without modifications.

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message.

401

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
415

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

MIME type specified in the request is not supported by the server.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Intel® SGX and Intel® TDX Provisioning Certification Service for ECDSA Attestation

Download the Provisioning Certification Root CA Certificate for API v4 here:
DER PEM (fingerprint: 8bd31eb1d63ce37382c0ffaa0d8200a3011ad6ff)

Get/Post PCK Certificate V4

Subscription Optional

The Get PCK Certificate API allows requesting a single PCK certificate by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only) and a set of SVNs.

Get PCK Certificate using PPID and SVNs is available for:

  • single-socket platforms - using this API does not require any prerequisites.
  • multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.

Get PCK Certificate using Platform Manifest and SVNs is available for:

  • multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.

Setting Key Caching Policy for multi-socket platforms:

  • if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
  • if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.

NOTICE: When you use that single PCK Certificate, the PCS will return the PCK Certificate that represents the TCB level with the highest security posture based on the SGX patching level applied to the platform. The platform's patching level is represented by the following inputs: CPUSVN and PCE ISVSVN.

GEThttps://api.trustedservices.intel.com/sgx/certification/v4/pckcert

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
PPID-Encryption-Key String Header False Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072"
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
cpusvn String Query True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pcesvn String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCESVN value (2 bytes, little endian)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

Response

Response description can be found here.

POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcert

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
cpusvn String Body Field True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pcesvn String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCESVN value (2 bytes, little endian)
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "cpusvn":"...",
    "pcesvn":"...",
    "pceid":"..."
}
                        
Example Request
curl -v -X POST --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

Response

Model

PckCert (X-PEM-FILE) - PEM-encoded representation of SGX PCK Certificate in case of success (200 HTTP status code)

Example Response
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
                        
Status Codes
Code Model Headers Description
200 PckCert

Content-Type - application/x-pem-file

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain - URL-encoded Issuer Certificate chain for SGX PCK Certificate in PEM format. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA).

SGX-TCBm - Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate

SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes).

SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:

  • "processor" indicates a certificate issued by Intel SGX Processor CA.
  • "platform" indicates a certificate issued by Intel SGX Platform CA.

Warning - Optional header which contains warning message, for example information about deprecation of the API

Operation successful
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:

Error-Code Error-Message
InvalidRequestSyntax The request could not be understood by the server due to malformed syntax.
InvalidRegistrationServer The request was rejected by the server as it is intended to be processed by a different instance of Registration Server (Registration Server Authentication Key mismatch).
InvalidOrRevokedPackage The request was rejected by the server due to invalid or revoked processor package.
PackageNotFound The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
IncompatiblePackage The request was rejected by the server as at least one of the processor packages is incompatible with rest of the processor packages forming the platform.
InvalidPlatformManifest The request was rejected by the server due to invalid platform configuration.

Invalid request parameters.
401

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Failed to authenticate or authorize the request
404

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

PCK Certificate for provided {ppid}, {cpusvn}, {pcesvn} and {pceid} cannot be found.
429

Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds).

Warning - Optional header which contains warning message, for example information about deprecation of the API

Too many requests, limit has been reached.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Server is currently unable to process the request

Get PCK Certificates V4

Subscription Optional

The Get PCK Certificates API allows requesting PCK certificates for all configured TCB levels for given platform by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only).

Get PCK Certificates using PPID is available for:

  • single-socket platforms - using this API does not require any prerequisites.
  • multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.

Get PCK Certificates using Platform Manifest is available for:

  • multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.

Setting Key Caching Policy for multi-socket platforms:

  • if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
  • if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.

GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on encrypted PPID and PCE-ID (supports both single and multi-package platforms).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
PPID-Encryption-Key String Header False Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072"
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts?encrypted_ppid={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

Response

Response description can be found here.

GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
PPID-Encryption-Key String Header False Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072"
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
cpusvn String Query True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config?encrypted_ppid={}&pceid={}&cpusvn={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

Response

Response description can be found here.

POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on Platform Manifest and PCE-ID (supports multi-package platforms only).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "pceid":"..."
}
                        
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

Response

Response description can be found here.

POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header False Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
cpusvn String Body Field True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "cpusvn":"...",
    "pceid":"..."
}
                        
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"...", "cpusvn":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

Response

Model

PckCerts (JSON) - Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code)

PckCerts:
        type: array
        description: >-
            Array of data structures consisting of tcb, tcbm and certificate
            encoded as JSON string in case of success (200 HTTP status code)
        items:
            type: object
            properties:
                tcb:
                    type: object
                    properties:
                        sgxtcbcomp01svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp02svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp03svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp04svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp05svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp06svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp07svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp08svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp09svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp10svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp11svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp12svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp13svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp14svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp15svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp16svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        pcesvn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 65535
                tcbm:
                    type: string
                    description: >-
                        Hex-encoded string representation of concatenation of
                        CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in
                        corresponding SGX PCK Certificate
                    pattern: '^[0-9a-fA-F]{36}$'
                    example: '000000000000000000000000000000000000'
                cert:
                    type: string
                    description: >-
                        URL-encoded SGX PCK Certificate in PEM format for given TCB
                        or "Not available" string if the certificate is not available for given TCB.
                        The certificate may not be available for given TCB
                        in case an updated Platform Manifest for a multi-package platform
                        has not been provided to the backend after a TCB recovery
                        (either via direct or indirect registration).
                    example: >-
                        -----BEGIN%20CERTIFICATE-----
                        %0AMIIE8DCCBJagAwIBAgIVAIx6%2FEOyg7ZDHYYaL6Z5iqyMdMpjMAoGCCqGSM49BAMCMHAxIj
                        AgBgNV%0ABAMMGUludGVsIFNHWCBQQ0sgUGxhdGZvcm0gQ0ExGjAYBgNVBAoMEUludGVsIENvcn
                        BvcmF0aW9u%0AMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAl
                        VTMB4XDTIwMDcy%0ANzA4NDczOFoXDTI3MDcyNzA4NDczOFowcDEiMCAGA1UEAwwZSW50ZWwgU0
                        dYIFBDSyBDZXJ0aWZp%0AY2F0ZTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNVBA
                        cMC1NhbnRhIENsYXJhMQsw%0ACQYDVQQIDAJDQTELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBg
                        gqhkjOPQMBBwNCAAQgWNUqMBKh%0Alrouhd5SiIBmTo8N2xPyhz215ho9SqCv00Us%2B6EcxpfH
                        Xp%2BYAAATDNVqlECXoSIxnOK4RsbY0S%2FL%0Ao4IDCzCCAwcwHwYDVR0jBBgwFoAU7bmCA3Tz
                        blbsRZSTub7BGnDEPbQwYgYDVR0fBFswWTBXoFWg%0AU4ZRaHR0cHM6Ly9wcmUxMy1ncmVlbi1w
                        Y3Muc2d4bnAuYWRzZGNzcC5jb20vc2d4L2NlcnRpZmlj%0AYXRpb24vdjEvcGNrY3JsP2NhPXBs
                        YXRmb3JtMB0GA1UdDgQWBBTbgGt0tP%2BaSI89ptnNDwof4bHa%0ASzAOBgNVHQ8BAf8EBAMCBs
                        AwDAYDVR0TAQH%2FBAIwADCCAkEGCSqGSIb4TQENAQSCAjIwggIuMB4G%0ACiqGSIb4TQENAQEE
                        EK4HEak9TrzqF3358MLSuggwggFrBgoqhkiG%2BE0BDQECMIIBWzAQBgsqhkiG%0A%2BE0BDQEC
                        AQIBADARBgsqhkiG%2BE0BDQECAgICAPAwEAYLKoZIhvhNAQ0BAgMCAXswEAYLKoZIhvhN%0AAQ
                        0BAgQCAVowEAYLKoZIhvhNAQ0BAgUCAXUwEQYLKoZIhvhNAQ0BAgYCAgDtMBEGCyqGSIb4TQEN%
                        0AAQIHAgIAiDAQBgsqhkiG%2BE0BDQECCAIBBjARBgsqhkiG%2BE0BDQECCQICAMQwEAYLKoZIh
                        vhNAQ0B%0AAgoCAWowEAYLKoZIhvhNAQ0BAgsCARwwEAYLKoZIhvhNAQ0BAgwCAXMwEAYLKoZIh
                        vhNAQ0BAg0C%0AAVIwEQYLKoZIhvhNAQ0BAg4CAgCdMBEGCyqGSIb4TQENAQIPAgIAljARBgsqh
                        kiG%2BE0BDQECEAIC%0AAJswEQYLKoZIhvhNAQ0BAhECAkztMB8GCyqGSIb4TQENAQISBBAA8Ht
                        ade2IBsRqHHNSnZabMBAG%0ACiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBo%2F8CgIAA
                        DAPBgoqhkiG%2BE0BDQEFCgEBMB4G%0ACiqGSIb4TQENAQYEEDhymiRlB1pOAOALuVr4fOswRAY
                        KKoZIhvhNAQ0BBzA2MBAGCyqGSIb4TQEN%0AAQcBAQH%2FMBAGCyqGSIb4TQENAQcCAQH%2FMBA
                        GCyqGSIb4TQENAQcDAQH%2FMAoGCCqGSM49BAMCA0gA%0AMEUCIQCYzJBFtntwahPzxlDyi1HvP
                        SNYQM%2F8nT4FedqhSyCzNAIgNCHbVVscxqxLsMeaDhT%2Bsjki%0AT57%2BUJFdNYTUSou15ks
                        %3D%0A
                        -----END%20CERTIFICATE-----
                        
Example Response
[
   {
      "tcb":{
         "sgxtcbcomp01svn":0,
         "sgxtcbcomp02svn":0,
         "sgxtcbcomp03svn":0,
         "sgxtcbcomp04svn":0,
         "sgxtcbcomp05svn":0,
         "sgxtcbcomp06svn":0,
         "sgxtcbcomp07svn":0,
         "sgxtcbcomp08svn":0,
         "sgxtcbcomp09svn":0,
         "sgxtcbcomp10svn":0,
         "sgxtcbcomp11svn":0,
         "sgxtcbcomp12svn":0,
         "sgxtcbcomp13svn":0,
         "sgxtcbcomp14svn":0,
         "sgxtcbcomp15svn":0,
         "sgxtcbcomp16svn":0,
         "pcesvn":0
      },
      "tcbm":"000000000000000000000000000000000000",
      "cert":"-----BEGIN%20CERTIFICATE-----%0A...%3D%3D%0A-----END%20CERTIFICATE-----"
   }
]
                            
Status Codes
Code Model Headers Description
200 PckCerts

Content-Type - application/json

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain - Issuer Certificate chain for SGX PCK Certificates. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA).

SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes).

SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:

  • "processor" indicates a certificate issued by Intel SGX Processor CA.
  • "platform" indicates a certificate issued by Intel SGX Platform CA.

Warning - Optional header which contains warning message, for example information about deprecation of the API

Operation successful.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:

Error-Code Error-Message
InvalidRequestSyntax The request could not be understood by the server due to malformed syntax.
InvalidRegistrationServer The request was rejected by the server as it is intended to be processed by a different instance of Registration Server (Registration Server Authentication Key mismatch).
InvalidOrRevokedPackage The request was rejected by the server due to invalid or revoked processor package.
PackageNotFound The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
IncompatiblePackage The request was rejected by the server as at least one of the processor packages is incompatible with rest of the processor packages forming the platform.
InvalidPlatformManifest The request was rejected by the server due to invalid platform configuration.

Invalid request parameters.
401

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Failed to authenticate or authorize the request
404

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

No PCK Certificate for provided {ppid} and {pceid} cannot be found.
429

Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds).

Warning - Optional header which contains warning message, for example information about deprecation of the API

Too many requests, limit has been reached.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Server is currently unable to process the request

Get Revocation List V4

Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA or Platform CA.

GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl

Request

Name Type Request Type Required Pattern Description
ca String Query True (processor|platform) Identifier of the CA that issued the requested CRL. Allowed values:
  • "processor" - indicates CRL issued by Intel SGX Processor CA
  • "platform" - indicates CRL issued by Intel SGX Platform CA
encoding String Query False (pem|der) Optional identifier of the encoding for the requested CRL.
If the parameter is not provided, PEM encoding is assumed.
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca={}&encoding={}" 

Response

Model

PckCrl (X-PEM-FILE, PKIX-CRL) - PEM or DER-encoded representation of SGX Platform CA CRL or SGX Processor CA CRL in case of success (200 HTTP status code).

Example Response
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
                            
Status Codes
Code Model Headers Description
200 PckCrl

Content-Type - The value depends on the encoding of CRL:

  • PEM: "application/x-pem-file"
  • DER: "application/pkix-crl"

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-CRL-Issuer-Chain - Issuer Certificate chain for SGX PCK CRL. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA).

Warning - Optional header which contains warning message, for example information about deprecation of the API

Operation successful.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Invalid request parameters.
401

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Failed to authenticate or authorize the request
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Warning - Optional header which contains warning message, for example information about deprecation of the API

Server is currently unable to process the request

Get SGX TCB Info V4

Retrieve SGX TCB information for given FMSPC.

Determining the status of a SGX TCB level for a given platform needs to be done using SGX TCB information according to the following algorithm:

  1. Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
  2. Retrieve SGX TCB Info matching the FMSPC value.
  3. Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
    1. Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
    2. Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, read status assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
  4. If no TCB level matches your SGX PCK Certificate, your TCB Level is not supported.

GET https://api.trustedservices.intel.com/sgx/certification/v4/tcb

Request

Name Type Request Type Required Pattern Description
fmspc String Query True ^[0-9a-fA-F]{12}$ Base16-encoded FMSPC value (6 bytes, byte array)
update String Query False (early|standard) Type of update to TCB Info
If not provided standard is assumed.
  • early indicates an early access to updated TCB Info provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated TCB Info provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc={}&update={}" 
    Example Response
    
      "tcbInfo": {
        "id": "SGX",
        "version": 3,
        "issueDate": "2022-04-13T09:38:17Z",
        "nextUpdate": "2022-05-13T09:38:17Z",
        "fmspc": "50806F000000",
        "pceId": "0000",
        "tcbType": 0,
        "tcbEvaluationDataNumber": 12,
        "tcbLevels": [
          {
            "tcb": {
              "sgxtcbcomponents": [
                {
                  "svn": 1,
                  "category": "BIOS",
                  "type": "Early Microcode Update"
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "SGX Late Microcode Update"
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TXT SINIT"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 1,
                  "category": "BIOS"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "SEAMLDR ACM"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ],
              "pcesvn": 11
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          },
          {
            "tcb": {
              "sgxtcbcomponents": [
                {
                  "svn": 1,
                  "category": "BIOS",
                  "type": "Early Microcode Update"
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "SGX Late Microcode Update"
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TXT SINIT"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 1,
                  "category": "BIOS"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "SEAMLDR ACM"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ],
              "pcesvn": 5
            },
            "tcbDate": "2018-01-04T00:00:00Z",
            "tcbStatus": "OutOfDate"
          }
        ]
      },
      "signature": "e9de1198f5b8ce22c626ac4182b92a83ba61693f483a398dc5c2afed65d757cb35cefd7e284cb1f4fbdb9a6e74171fe72bf724050dde5e8d6d93d2339eea3cf2"
    }
                                

    Response

    Model - Appendix A: TCB Info V3

    Status Codes
    Code Model Headers Description
    200 TcbInfoV3

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate.

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    TCB information for provided {fmspc} cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request

    Get TDX TCB Info V4

    Retrieve TDX TCB information for given FMSPC.

    Determining the status of a TDX TCB level for a given platform needs to be done using TDX TCB information according to the following algorithm:

    1. Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
    2. Retrieve TDX TCB Info matching the FMSPC value.
    3. Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
      1. Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
      2. Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, go to 3.c, otherwise move to the next item on TCB Levels list.
      3. Compare SVNs in TEE TCB SVN array retrieved from TD Report in Quote (from index 0 to 15 if TEE TCB SVN at index 1 is set to 0, or from index 2 to 15 otherwise) with the corresponding values of SVNs in tdxtcbcomponents array of TCB Level. If all TEE TCB SVNs in the TD Report are greater or equal to the corresponding values in TCB Level, read tcbStatus assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
    4. If no TCB level matches your SGX PCK Certificate and TD Report, your TCB level is not supported.
    5. Perform additional TCB status evaluation for TDX module in case TEE TCB SVN at index 1 is greater or equal to 1, otherwise finish the comparison logic. In order to determine TCB status of TDX module, find a matching TDX Module Identity (in tdxModuleIdentities array of TCB Info) with its id set to "TDX_<version>" where <version> matches the value of TEE TCB SVN at index 1. If a matching TDX Module Identity cannot be found, go to step 6, otherwise, for the selected TDX Module Identity go over the sorted collection of TCB Levels starting from the first item on the list and compare its isvsvn value to the TEE TCB SVN at index 0. If TEE TCB SVN at index 0 is greater or equal to its value, read tcbStatus assigned to this TCB level, otherwise move to the next item on TCB levels list.
    6. If no TCB level matches, the TCB level of TDX Module is not supported.

    GET https://api.trustedservices.intel.com/tdx/certification/v4/tcb

    Request

    Name Type Request Type Required Pattern Description
    fmspc String Query True ^[0-9a-fA-F]{12}$ Base16-encoded FMSPC value (6 bytes, byte array)
    update String Query False (early|standard) Type of update to TCB Info
    If not provided standard is assumed.
  • early indicates an early access to updated TCB Info provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated TCB Info provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/tdx/certification/v4/tcb?fmspc={}&update={}" 
    Example Response
    {
      "tcbInfo": {
        "id": "TDX",
        "version": 3,
        "issueDate": "2022-04-13T09:37:45Z",
        "nextUpdate": "2022-05-13T09:37:45Z",
        "fmspc": "50806F000000",
        "pceId": "0000",
        "tcbType": 0,
        "tcbEvaluationDataNumber": 12,
        "tdxModule": {
          "mrsigner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
          "attributes": "0000000000000000",
          "attributesMask": "FFFFFFFFFFFFFFFF"
        },
        "tcbLevels": [
          {
            "tcb": {
              "sgxtcbcomponents": [
                {
                  "svn": 1,
                  "category": "BIOS",
                  "type": "Early Microcode Update"
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "SGX Late Microcode Update"
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TXT SINIT"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 1,
                  "category": "BIOS"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "SEAMLDR ACM"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ],
              "pcesvn": 11,
              "tdxtcbcomponents": [
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TDX Module"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "TDX Late Microcode Update"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ]
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          },
          {
            "tcb": {
              "sgxtcbcomponents": [
                {
                  "svn": 1,
                  "category": "BIOS",
                  "type": "Early Microcode Update"
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "SGX Late Microcode Update"
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TXT SINIT"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 2,
                  "category": "BIOS"
                },
                {
                  "svn": 1,
                  "category": "BIOS"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "SEAMLDR ACM"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ],
              "pcesvn": 5,
              "tdxtcbcomponents": [
                {
                  "svn": 2,
                  "category": "OS/VMM",
                  "type": "TDX Module"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 1,
                  "category": "OS/VMM",
                  "type": "TDX Late Microcode Update"
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                },
                {
                  "svn": 0
                }
              ]
            },
            "tcbDate": "2018-01-04T00:00:00Z",
            "tcbStatus": "OutOfDate"
          }
        ]
      },
      "signature": "567769750d895be97ef0cb1eb951f1cf78bf0dfbacd8ad50ad3b1a46623cd4827daf69edcb3cbf283c1ab177bf417a4353a0346ba956b38f4816ff739fe935e6"
    }
                                

    Response

    Model - Appendix A: TCB Info V3

    Status Codes
    Code Model Headers Description
    200 TcbInfoV3

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate.

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    TCB information for provided {fmspc} cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request

    Enclave Identity V4

    Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Enclave Identity issued by Intel requires following steps:

    1. Retrieve Enclave Identity(SGX QE, TDX QE, QVE or QAE) from PCS and verify that it is a valid structure issued by Intel.
    2. Perform the following comparison of SGX Enclave Report against the retrieved Enclave Identity:
      1. Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in Enclave Identity.
      2. Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in Enclave Identity.
      3. Apply miscselectMask (binary mask) from Enclave Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in Enclave Identity.
      4. Apply attributesMask (binary mask) from Enclave Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in Enclave Identity.
    3. If any of the checks above fail, the identity of the enclave does not match Enclave Identity published by Intel.
    4. Determine a TCB status of the Enclave:
      1. Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in Enclave Identity structure.
      2. Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
      3. If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.

    GET https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity

    Request

    Name Type Request Type Required Pattern Description
    update String Query False (early|standard) Type of update to QE Identity
    If not provided standard is assumed.
  • early indicates an early access to updated QE Identity provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated QE Identity provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity?update={}" 

    Response

    Model - Appendix B: Enclave Identity V2

    Status Codes
    Code Model Headers Description
    200 QEIdentityV2

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    QE Identity information cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request
    Example Response
    {
      "enclaveIdentity": {
        "id": "QE",
        "version": 2,
        "issueDate": "2022-04-13T10:15:38Z",
        "nextUpdate": "2022-05-13T10:15:38Z",
        "tcbEvaluationDataNumber": 12,
        "miscselect": "00000000",
        "miscselectMask": "FFFFFFFF",
        "attributes": "11000000000000000000000000000000",
        "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
        "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
        "isvprodid": 1,
        "tcbLevels": [
          {
            "tcb": {
              "isvsvn": 6
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          },
          {
            "tcb": {
              "isvsvn": 5
            },
            "tcbDate": "2020-11-11T00:00:00Z",
            "tcbStatus": "OutOfDate"
          },
          {
            "tcb": {
              "isvsvn": 4
            },
            "tcbDate": "2019-11-13T00:00:00Z",
            "tcbStatus": "OutOfDate"
          },
          {
            "tcb": {
              "isvsvn": 2
            },
            "tcbDate": "2019-05-15T00:00:00Z",
            "tcbStatus": "OutOfDate"
          },
          {
            "tcb": {
              "isvsvn": 1
            },
            "tcbDate": "2018-08-15T00:00:00Z",
            "tcbStatus": "OutOfDate"
          }
        ]
      },
      "signature": "225359b14e870bd81a9e92691cdf5af520883688ec326af0327047a8516e0329c0ba94e1fec24be74f99ca6e7cffb5b46332346edc72e7063096e01340253c06"
    }
                                

    GET https://api.trustedservices.intel.com/tdx/certification/v4/qe/identity

    Request

    Name Type Request Type Required Pattern Description
    update String Query False (early|standard) Type of update to QE Identity
    If not provided standard is assumed.
  • early indicates an early access to updated QE Identity provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated QE Identity provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/tdx/certification/v4/qe/identity?update={}" 

    Response

    Model - Appendix B: Enclave Identity V2

    Status Codes
    Code Model Headers Description
    200 QEIdentityV2

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for TDX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    QE Identity information cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request
    Example Response
    {
      "enclaveIdentity": {
        "id": "TD_QE",
        "version": 2,
        "issueDate": "2022-04-13T09:37:47Z",
        "nextUpdate": "2022-05-13T09:37:47Z",
        "tcbEvaluationDataNumber": 12,
        "miscselect": "00000000",
        "miscselectMask": "FFFFFFFF",
        "attributes": "11000000000000000000000000000000",
        "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
        "mrsigner": "DC9E2A7C6F948F17474E34A7FC43ED030F7C1563F1BABDDF6340C82E0E54A8C5",
        "isvprodid": 2,
        "tcbLevels": [
          {
            "tcb": {
              "isvsvn": 3
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          }
        ]
      },
      "signature": "9d4d56c41e80cc44df5ec2ad52f309d8364b444f5b83efc48a0c1393afd11c288754ed77b63bce2a7c59c75ae2012606e1d926cf295f3d0b59e1848a8de36efd"
    }
                                

    GET https://api.trustedservices.intel.com/sgx/certification/v4/qve/identity

    Request

    Name Type Request Type Required Pattern Description
    update String Query False (early|standard) Type of update to QVE Identity
    If not provided standard is assumed.
  • early indicates an early access to updated QVE Identity provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated QVE Identity provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qve/identity?update={}" 

    Response

    Model - Appendix B: Enclave Identity V2

    Status Codes
    Code Model Headers Description
    200 QEIdentityV2

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QVE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    QVE Identity information cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request
    Example Response
    {
      "enclaveIdentity": {
        "id": "QVE",
        "version": 2,
        "issueDate": "2022-04-13T09:37:47Z",
        "nextUpdate": "2022-05-13T09:37:47Z",
        "tcbEvaluationDataNumber": 12,
        "miscselect": "00000000",
        "miscselectMask": "FFFFFFFF",
        "attributes": "01000000000000000000000000000000",
        "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
        "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
        "isvprodid": 2,
        "tcbLevels": [
          {
            "tcb": {
              "isvsvn": 3
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          }
        ]
      },
      "signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c"
    }
                                

    GET https://api.trustedservices.intel.com/sgx/certification/v4/qae/identity

    Request

    Name Type Request Type Required Pattern Description
    update String Query False (early|standard) Type of update to QAE Identity
    If not provided standard is assumed.
  • early indicates an early access to updated QAE Identity provided as part of a TCB recovery event
      (commonly the day of public disclosure of the items in scope**)
  • standard indicates standard access to updated QAE Identity provided as part of a TCB recovery event
      (commonly approximately 8 weeks after public disclosure of the items in scope,
      but can vary based on overall scope**)
  • Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qae/identity?update={}" 

    Response

    Model - Appendix B: Enclave Identity V2

    Status Codes
    Code Model Headers Description
    200 QEIdentityV2

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QAE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    401

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Failed to authenticate or authorize the request
    404

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    QAE Identity information cannot be found.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request
    Example Response
    {
      "enclaveIdentity": {
        "id": "QAE",
        "version": 2,
        "issueDate": "2022-04-13T09:37:47Z",
        "nextUpdate": "2022-05-13T09:37:47Z",
        "tcbEvaluationDataNumber": 12,
        "miscselect": "00000000",
        "miscselectMask": "FFFFFFFF",
        "attributes": "01000000000000000000000000000000",
        "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
        "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
        "isvprodid": 2,
        "tcbLevels": [
          {
            "tcb": {
              "isvsvn": 3
            },
            "tcbDate": "2021-11-10T00:00:00Z",
            "tcbStatus": "UpToDate"
          }
        ]
      },
      "signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c"
    }
                                

    Retrieve FMSPCs V4

    Retrieve list of FMSPC values for SGX and TDX platforms supporting DCAP attestation.

    GET https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs

    Request

    Name Type Request Type Required Description
    platform String Query False

    Optional identifier of the platform types to query

    Allowed values:

    • all - all the supported platforms (default)
    • client - all the client platforms supporting DCAP attestation
    • E3 - single-socket server platforms supporting DCAP attestation (Intel® Xeon® E processor family)
    • E5 - multi-socket server platforms supporting DCAP attestation (examples include but may not be limited to: Intel® Xeon® D and Intel® Xeon® Scalable)

    Example Request
    curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs?platform={}

    Response

    Status Codes
    Code Headers Description
    200

    Content-Type - application/json

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Operation successful
    400

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Invalid request parameters.
    500

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Internal server error occurred
    503

    Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

    Warning - Optional header which contains warning message, for example information about deprecation of the API

    Server is currently unable to process the request
    Example Response
    [
        {
            "fmspc": "AABBCCDD0000",
            "platform": "E3"
        },
        {
            "fmspc": "123456780000",
            "platform": "E5"
        },
        {
            "fmspc": "876543210000",
            "platform": "client"
        }
    ]     
    

    Appendix A: TCB Info V3

    Response

    Model

    TcbInfoV3 (JSON) - SGX/TDX TCB Info encoded as JSON string in case of success (200 HTTP status code)

    TcbInfoV3:
        type: object
        description: >-
            SGX TCB Info encoded as JSON string in case of success (200 HTTP
            status code)
        properties:
            tcbInfo:
                type: object
                properties:
                    id:
                        type: string
                        description: Identifier of the TCB Info issued by Intel. Supported values are SGX or TDX.
                    version:
                        type: integer
                        example: 2
                        description: Version of the structure
                    issueDate:
                        type: string
                        format: date-time
                        description: >-
                            Representation of date and time the TCB information
                            was created. The time shall be in UTC and the
                            encoding shall be compliant to ISO 8601 standard
                            (YYYY-MM-DDThh:mm:ssZ)
                    nextUpdate:
                        type: string
                        format: date-time
                        description: >-
                            Representation of date and time by which next TCB
                            information will be issued. The time shall be in UTC
                            and the encoding shall be compliant to ISO 8601
                            standard (YYYY-MM-DDThh:mm:ssZ)
                    fmspc:
                        type: string
                        pattern: ^[0-9a-fA-F]{12}$
                        example: '000000000000'
                        description: >-
                            Base 16-encoded string representation of FMSPC
                            (Family-Model-Stepping-Platform-CustomSKU)
                    pceId:
                        type: string
                        pattern: ^[0-9a-fA-F]{4}$
                        example: '0000'
                        description: Base 16-encoded string representation of PCE identifier
                    tcbType:
                        type: integer
                        example: 0
                        description: >-
                            Type of TCB level composition that determines TCB
                            level comparison logic
                    tcbEvaluationDataNumber:
                        type: integer
                        example: 2
                        description: >-
                            A monotonically increasing sequence number changed
                            when Intel updates the content of the TCB evaluation data
                            set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber
                            update is synchronized across TCB Info for all flavors of
                            SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE
                            Identity. This sequence number allows users to easily determine
                            when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes
                            another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current
                            TCB Recovery event number stored in the database).
                    tdxModule:
                        type: object
                        description: >-
                            This field is optional. It will be present only
                            in context of TDX TCB Info.
                        properties:
                            mrsigner:
                                type: string
                                pattern: ^[0-9a-fA-F]{96}$
                                example: '0000000000000000000000000000000000000000000000000000000000000000'
                                description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer.
                            attributes:
                                type: string
                                pattern: ^[0-9a-fA-F]{16}$
                                example: '0000000000000000'
                                description: Hex-encoded byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module.
                            attributesMask:
                                type: string
                                pattern: ^[0-9a-fA-F]{16}$
                                example: 'FFFFFFFFFFFFFFFF'
                                description: Hex-encoded byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform.
                    tdxModuleIdentities:
                        type: array
                        description: >-
                            This field is optional. It will be present only in context of TDX TCB Info when the platform supports more than one TDX SEAM Module.
                        items:
                            type: object
                            properties:
                                id:
                                    type: string
                                    description: Identifier of TDX Module
                                mrsigner:
                                    type: string
                                    pattern: ^[0-9a-fA-F]{96}$
                                    example: '0000000000000000000000000000000000000000000000000000000000000000'
                                    description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer.
                                attributes:
                                    type: string
                                    pattern: ^[0-9a-fA-F]{16}$
                                    example: '0000000000000000'
                                    description: Base 16-encoded string representation of the byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module.
                                attributesMask:
                                    type: string
                                    pattern: ^[0-9a-fA-F]{16}$
                                    example: 'FFFFFFFFFFFFFFFF'
                                    description: Base 16-encoded string representation of the byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform.
                                tcbLevels:
                                    type: array
                                    description: >-
                                        Sorted list of supported TCB levels for given TDX SEAM module encoded as a JSON array of TCB level objects.
                                    items:
                                        type: object
                                        properties:
                                            tcb:
                                                type: object
                                                properties:
                                                    isvnsvn:
                                                        description: TDX SEAM module's ISV SVN
                                                        type: integer
                                            tcbDate:
                                                type: string
                                                format: date-time
                                                description: >-
                                                    If there are security advisories published by Intel after tcbDate
                                                    that are for issues whose mitigations are currently enforced* by SGX/TDX attestation,
                                                    then the value of tcbStatus for the TCB level will not be UpToDate.
                                                    Otherwise (i.e., either no advisories after or not currently enforced),
                                                    the value of tcbStatus for the TCB level will not be OutOfDate.
    
                                                    The time shall be in UTC and the encoding shall
                                                    be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
                                            tcbStatus:
                                                type: string
                                                enum:
                                                    - UpToDate
                                                    - OutOfDate
                                                    - Revoked
                                                description: >-
                                                    TCB level status. One of the following values:
    
                                                    "UpToDate" - TCB level of the TDX SEAM Module is up-to-date.
    
                                                    "OutOfDate" - TCB level of TDX SEAM Module is outdated.
    
                                                    "Revoked" - TCB level of TDX SEAM Module is revoked.
                                                    The platform is not trustworthy.
                                            advisoryIDs:
                                                type: array
                                                description: >-
                                                    Array of Advisory IDs referring to Intel security advisories that
                                                    provide insight into the reason(s) for the value of tcbStatus for
                                                    this TCB level when the value is not UpToDate.
    
                                                    This field is optional. It will be present only
                                                    if the list of Advisory IDs is not empty.
                                                items:
                                                    type: string
                    tcbLevels:
                        type: array
                        description: >-
                            Sorted list of supported TCB levels for given FMSPC
                            encoded as a JSON array of TCB level objects
                        items:
                            type: object
                            properties:
                                tcb:
                                    type: object
                                    properties:
                                        sgxtcbcomponents:
                                            description: >-
                                                Array of 16 SGX TCB Components (as in CPUSVN) encoded as a JSON array of TCB Component objects.
                                            items:
                                                properties:
                                                    svn:
                                                        type: "integer"
                                                        description: SVN of TCB Component. This field is mandatory.
                                                    category:
                                                        type: "string"
                                                        description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components.
                                                    type:
                                                        type: "string"
                                                        description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components.
                                        pcesvn:
                                            type: integer
                                            example: 0
                                            minimum: 0
                                            maximum: 65535
                                        tdxtcbcomponents:
                                            description: >-
                                                Array of 16 TDX TCB Components (as in TEE TCB SVN array in TD Report) encoded as a JSON array of TCB Component objects.
    
                                                This field is optional and only present in TDX TCB Info.
                                            items:
                                                properties:
                                                    svn:
                                                        type: "integer"
                                                        description: SVN of TCB Component. This field is mandatory.
                                                    category:
                                                        type: "string"
                                                        description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components.
                                                    type:
                                                        type: "string"
                                                        description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components.
                                tcbDate:
                                    type: string
                                    format: date-time
                                    description: >-
                                        If there are security advisories published by Intel after tcbDate
                                        that are for issues whose mitigations are currently enforced* by SGX attestation,
                                        then the value of tcbStatus for the TCB level will not be UpToDate.
                                        Otherwise (i.e., either no advisories after or not currently enforced),
                                        the value of tcbStatus for the TCB level will not be OutOfDate.
    
                                        The time shall be in UTC and the encoding shall
                                        be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
                                tcbStatus:
                                    type: string
                                    enum:
                                        - UpToDate
                                        - SWHardeningNeeded
                                        - ConfigurationNeeded
                                        - ConfigurationAndSWHardeningNeeded
                                        - OutOfDate
                                        - OutOfDateConfigurationNeeded
                                        - Revoked
                                    description: >-
                                        TCB level status. One of the following values:
    
                                        "UpToDate" - TCB level of the SGX platform is up-to-date.
    
                                        "SWHardeningNeeded" - TCB level of the SGX platform
                                        is up-to-date but due to certain issues affecting the
                                        platform, additional SW Hardening in the attesting
                                        SGX enclaves may be needed.
    
                                        "ConfigurationNeeded" - TCB level of the SGX platform
                                        is up-to-date but additional configuration of SGX
                                        platform may be needed.
    
                                        "ConfigurationAndSWHardeningNeeded" - TCB level of the
                                        SGX platform is up-to-date but additional configuration
                                        for the platform and SW Hardening in the attesting SGX
                                        enclaves may be needed.
    
                                        "OutOfDate" - TCB level of SGX platform is outdated.
    
                                        "OutOfDateConfigurationNeeded" - TCB level of SGX
                                        platform is outdated and additional configuration
                                        of SGX platform may be needed.
    
                                        "Revoked" - TCB level of SGX platform is revoked.
                                        The platform is not trustworthy.
                                advisoryIDs:
                                    type: array
                                    description: >-
                                        Array of Advisory IDs referring to Intel security advisories that
                                        provide insight into the reason(s) for the value of tcbStatus for
                                        this TCB level when the value is not UpToDate.
    
                                        Note: The value can be different for different
                                        FMSPCs.
    
                                        This field is optional. It will be present only
                                        if the list of Advisory IDs is not empty.
                                    items:
                                        type: string
            signature:
                type: string
                description: >-
                    Base 16-encoded string representation of signature calculated over tcbInfo
                    body without whitespaces using TCB Signing Key
                    i.e:
                    {"version":2,"issueDate":"2019-07-30T12:00:00Z","nextUpdate":"2019-08-30T12:00:00Z",...}
                                

    Appendix B: Enclave Identity V2

    Model

    EnclaveIdentityV2 (JSON) - SGX Enclave Identity data structure encoded as JSON string in case of success (200 HTTP status code)

    EnclaveIdentityV2:
        type: object
        description: SGX Enclave Identity data structure encoded as JSON string in case of success
            (200 HTTP status code)
        properties:
            enclaveIdentity:
                type: object
                properties:
                    id:
                        type: string
                        description: Identifier of the SGX Enclave issued by Intel. Supported values are QE, QVE, QAE and TD_QE
                    version:
                        type: integer
                        example: 2
                        description: Version of the structure
                    issueDate:
                        type: string
                        format: date-time
                        description: >-
                            Representation of date and time the Enclave Identity information
                            was created. The time shall be in UTC and the encoding shall
                            be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
                    nextUpdate:
                        type: string
                        format: date-time
                        description: >-
                            Representation of date and time by which next Enclave Identity
                            information will be issued. The time shall be in
                            UTC and the encoding shall be compliant to ISO 8601 standard
                            (YYYY-MM-DDThh:mm:ssZ)
                    tcbEvaluationDataNumber:
                        type: integer
                        example: 2
                        description: >-
                            A monotonically increasing sequence number changed
                            when Intel updates the content of the TCB evaluation data
                            set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber
                            update is synchronized across TCB Info for all flavors of
                            SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE
                            Identity. This sequence number allows users to easily determine
                            when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes
                            another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current
                            TCB Recovery event number stored in the database).
                    miscselect:
                        type: string
                        pattern: ^[0-9a-fA-F]{8}$
                        example: '00000000'
                        description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
                    miscselectMask:
                        type: string
                        pattern: ^[0-9a-fA-F]{8}$
                        example: '00000000'
                        description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
                    attributes:
                        type: string
                        pattern: ^[0-9a-fA-F]{32}$
                        example: '00000000000000000000000000000000'
                        description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
                    attributesMask:
                        type: string
                        pattern: ^[0-9a-fA-F]{32}$
                        example: '00000000000000000000000000000000'
                        description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
                    mrsigner:
                        type: string
                        pattern: ^[0-9a-fA-F]{64}$
                        example: '0000000000000000000000000000000000000000000000000000000000000000'
                        description: Base 16-encoded string representing mrsigner hash.
                    isvprodid:
                        type: integer
                        example: 0
                        minimum: 0
                        maximum: 65535
                        description: Enclave Product ID.
                    tcbLevels:
                        description: >-
                            Sorted list of supported Enclave TCB levels for given
                            QE encoded as a JSON array of Enclave TCB level objects.
                        type: array
                        items:
                            type: object
                            properties:
                                tcb:
                                    type: object
                                    properties:
                                        isvsvn:
                                            description: SGX Enclave's ISV SVN
                                            type: integer
                                tcbDate:
                                    type: string
                                    format: date-time
                                    description: >-
                                        If there are security advisories published by Intel after tcbDate
                                        that are for issues whose mitigations are currently enforced* by SGX attestation,
                                        then the value of tcbStatus for the TCB level will not be UpToDate.
                                        Otherwise (i.e., either no advisories after or not currently enforced),
                                        the value of tcbStatus for the TCB level will not be OutOfDate.
    
                                        The time shall be in UTC and the encoding shall
                                        be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
                                tcbStatus:
                                    type: string
                                    enum:
                                        - UpToDate
                                        - OutOfDate
                                        - Revoked
                                    description: >-
                                        TCB level status. One of the following values:
    
                                        "UpToDate" - TCB level of the SGX platform is up-to-date.
    
                                        "OutOfDate" - TCB level of SGX platform is outdated.
    
                                        "Revoked" - TCB level of SGX platform is revoked.
                                        The platform is not trustworthy.
                                advisoryIDs:
                                    type: array
                                    description: >-
                                        Array of Advisory IDs referring to Intel security advisories that
                                        provide insight into the reason(s) for the value of tcbStatus for
                                        this TCB level when the value is not UpToDate.
    
                                        This field is optional. It will be present only
                                        if the list of Advisory IDs is not empty.
                                    items:
                                        type: string
            signature:
                type: string
                description: Hex-encoded string representation of a signature calculated
                    over qeIdentity body (without whitespaces) using TCB Info Signing Key.
                                

    PCK Certificate and CRL Specification

    This document specifies the hierarchy and format of X.509 v3 certificates and X.509 v2 Certificate Revocation Lists (CRLs) issued by Intel for Provisioning Certification Keys.

    * Enforcement of a mitigation means that 1) the attestation process can tell whether the mitigation is present or not and 2) the attestation result will be different when the mitigation is present than when it's not. Intel offers verifiers and relying parties different enforcement grace periods through use of an "update" (PCS API) parameter. The value of this parameter can be standard (default) or early. Conclusions drawn when using one value of the parameter should not be applied globally, that is, when enforcement occurs depends on which value of the update parameter is used. Here, attestation result refers to the result of the objective assessment of the attestation, the assessment that only considers whether mitigations are present or not. Relying parties are free to also use additional factors, of their choosing, to determine whether to trust the attesting platform. The relying party's "trust decision" may be different than that suggested by the attestation result. For example, in cases where the attestation result is out of date, but only due to mitigations for very low severity issues being absent, the relying party may choose to proceed as though the attesting platform were up to date, accepting all the security risks of doing so.

    ** Intel will strive to communicate planned deviations from this schedule via email notifications to registered API subscribers.

    Intel, the Intel logo and Xeon are trademarks of Intel Corporation or its subsidiaries.