Intel SGX Attestation Service Utilizing EPID
The Attestation API exposed by the Intel® SGX attestation service is a programming interface for service providers to verify attestation evidence of SGX enabled enclaves. View the Intel SGX EPID API Specification.
Intel plans to end of life (EOL) this service April 2, 2025. This would include all active API versions. Please factor this into your engagement plans (reference this link for additional details and Intel-offered attestation alternatives). As previously planned and communicated, Intel has limited access to the IAS Development (DEV) environment as of September 29, 2024.
Download the Attestation Report Root CA Certificate here:
DER
PEM
Intel® SGX and Intel® TDX Registration Service for Scalable Platforms
The API exposed by the Intel® SGX registration service allows to register an Intel(R) SGX platform with multiple processor packages as a single platform instance which can be later on remotely attested as a single entity.
The minimum version of the TLS protocol supported by the service is 1.2 - any connection attempts with previous versions of TLS/SSL will be dropped by the server.
Register Platform
This API allows to register multi-package SGX platform (includes initial registration and TCB Recovery). As part of the registration, the platform manifest is authenticated by the Registration Service as originating from a genuine, non-revoked SGX platform. If the platform configuration is verified successfully, platform provisioning root keys are stored in the backend.
Stored platform provisioning root keys are later used to derive public parts of Provisioning Certification Keys (PCKs) that are distributed in the form of x.509 certificates by the Provisioning Certification Service for Intel® SGX. PCK certificates are used during remote attestation of the platform.
POST https://api.trustedservices.intel.com/sgx/registration/v1/platform
Request
Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).Name | Required | Value | Description |
---|---|---|---|
Content-Type | True | application/octet-stream | MIME type of the request body. |
Body
Binary representation of Platform Manifest structure - an opaque blob that represents a registration manifest for multi-package platform. It contains platform provisioning root keys established by given platform instance and data required to authenticate the platform as a genuine, non-revoked SGX platform.
Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @platform_manifest -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"
Response
Model
Hex-encoded representation of PPID for the registered platform instance (only if HTTP Status Code is 201, empty body otherwise).
Example Response
00112233445566778899AABBCCDDEEFF
Status Codes
Status Code | Headers | Body | Description |
---|---|---|---|
201 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Hex-encoded representation of PPID for the registered platform instance. |
Operation successful (new platform instance registered). A new platform instance has been registered in the backend. |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Error-Code and Error-Message:
|
Invalid Platform Manifest. The client should not repeat the request without modifications. Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and ErrorMessage. |
|
415 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
MIME type specified in the request is not supported by the server. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Server is currently unable to process the request. The client should try to repeat its request after some time. |
Add Package
Add new package(s) to an already registered platform instance. If the request is successful, a Platform Membership Certificate is generated for each processor package in Add Request.
POST https://api.trustedservices.intel.com/sgx/registration/v1/package
Request
Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).Name | Required | Value | Description |
---|---|---|---|
Ocp-Apim-Subscription-Key | True | Subscription key which provides access to this API. It can be found in your Profile. | |
Content-Type | True | application/octet-stream | MIME type of the request body. |
Body
Binary representation of Add Request structure - an opaque blob that represents a request for adding new processors packages to an existing platform instance.
Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @add_package -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/package" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Model
In case of 200 HTTP Status Code: Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other.
Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed.
Example Response (hex-encoded)
EBBD00C0EF904910A480F772E7355DB4C90401000000000000000000000000000348E55FE5BB604086B7CFBF7BD00235A1A492C64BDC948CB 35B4D48404BE3CAC68090F19E5D4B985136D9A160B04425B9B709CCD8D46F024EB65330E781312B74D5D1A8BD8F0BCBB9041530E022F24B4B C9AF1E45F551956633494D924DDC81E546085A340B5D1F58E5BD5726E87238715FDF8133CA1DC4E1304550C1956143932817207F3697DB9C5 A35433FD573CFA4C8494C8C1536E4046CC3507304E5A557A31F7576EE10DC3E2626996EC014CC990AE2CC69095CE933C283FC3A3FB5F02139 BD700FBCB5C1715031F3A810A097479A82D02A38CB7071E72D73DF4B31E9E236E96164DCD175ACBCD68E7EF34FF0EDEF1A28F5B9558A3E90D 662A21A1055F2FEA1D54F4BF3D464EBB02AF1EDD3270F06B64F651CBE06C34E345BFB6BF8FC67B6FE83A697A890EF946C285261D6458F4C7B 18CCAC29841574A7EC62427642FDE7E862C3C387786429B4F3CE7D9509CB7115DAF6E68F0DE426ACF3B87FB3CCC3B3ED33853F8EBC6D3AE82 4471087F5EB3A2EA43F137D6D184D16420042A5C274E22C2846B570D8277E5DCB2EAF285C0DE53F4260B22CBCD63BA07C47861E799A8D18BF 496BC3F89BE7BEB28A2EBD34DA41486B2A183AB568251D2FDC0DEFD88701000100CB0C25CAFDB9C17FC17C6E5F6496EF7276382CAF199CB5B B3CE3186DE3F35552ED3717ACCB87757126634AF6A3254ADEEDA46C34C1EEA4356A2FD412B07CE57F263749BD5B3D9BA2ED51DBBAED9C9DA1 104EAD2D31432DC19B04E782DB75C616850C2E86DB5390CE946272DD6C7A885D39407A1BCC719C3D05A36BA29FD85A670BCD26B8B943B5B6D F92FE21AE5935413DC3F1DA53B79DD0730ABB7DF255C895A578F83290F4956DD50F2E367FEF47886EF24A74792C45BE1FA5C2FFC34A47C012 F47BE52FB9635532983CBA4563AB517BB36A6951AE64ABA71919DD8E83A974645A785A2FB889F6DC056DAED2B11F1FDC979E811DBB519DA7C 9154A6584036A44C6E226E1EB8612D1EDA68D242C2E25B64474442F78C4D729AF021790E385794701E7840BECE4833BB58565D36488B8A44A D9CBF9745D9C28A02108BF24A758B224964ABDEFD01941DB82E5141E39C43D8AA5CA48502813BB7E04173C36C67086B036162EAE860C6DA7F 4688C9699A29A5B72914F225308002BC00EE571C0A201000100A33178AD01C653A70C05C83203C2285A6FD93B64E379421F47086B841C682D 9D0F6BC2AC11FE3C6D01ADF99BBD6F46C9A77F5C79EFBDB17D65E671ACB4FD8800B8E481CE680D7450EE7BC19B429648B7B44A5D550FFB41B F8B393D1C3729F7AF7549EEA0661EBF9B0895B9DAFFB3A41E29B119E409A2E31B8BE30D7A714C79976BA9A8051322C12B281F40A3003995E9 756134B803DEC923BF984776F966564F71CCA014C63DF6EC4277B3C0A690EC8FFFD89B5FC9A63DF37B902A4D25F17A55886D0E441318E9905 B2DC0D1B2BF4562D610E234FF829424926F10FB1F60371E7E433E84B854B094A5C7321ADFEBBF934FB3271515A62D441421D7ED96D46B68A2 FAAACC045FFC8E0DA9D17C5DEBE217C762F23AD6AC3FBE7E7E71BB5228A5D6F5C098C509D975E8FE15EE8FDA956D3334BDC1CFE428DC0E8F9 C799831094346A45F4C4D1B961BFC07A4FBC89DEA759DA92447B2026B49B8A7BE428F58051A8C08DFE6B82FBE7457DCFD45A45FDD7C2477CC CDA8FFF760AA0F126B7F0ED58E510000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ... 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Status Codes
Status Code | Headers | Body | Description |
---|---|---|---|
200 |
Content-Type - MIME type of the response body. Value is "application/octet-stream". Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Certificate-Count - Number of Platform Membership Certificates returned in response body. |
Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other. Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed. |
Operation successful. Packages have been added to an existing platform instance. |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Error-Code and Error-Message:
|
Invalid Add Request Payload. The client should not repeat the request without modifications. Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message. |
|
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Failed to authenticate or authorize the request | |
415 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
MIME type specified in the request is not supported by the server. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) |
Server is currently unable to process the request |
Intel® SGX and Intel® TDX Provisioning Certification Service for ECDSA Attestation
Download the Provisioning Certification Root CA Certificate for API v4 here:
DER
PEM
(fingerprint: 8bd31eb1d63ce37382c0ffaa0d8200a3011ad6ff)
Get/Post PCK Certificate V4
The Get PCK Certificate API allows requesting a single PCK certificate by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only) and a set of SVNs.
Get PCK Certificate using PPID and SVNs is available for:
- single-socket platforms - using this API does not require any prerequisites.
- multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.
Get PCK Certificate using Platform Manifest and SVNs is available for:
- multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.
Setting Key Caching Policy for multi-socket platforms:
- if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
- if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.
NOTICE: When you use that single PCK Certificate, the PCS will return the PCK Certificate that represents the TCB level with the highest security posture based on the SGX patching level applied to the platform. The platform's patching level is represented by the following inputs: CPUSVN and PCE ISVSVN.
GEThttps://api.trustedservices.intel.com/sgx/certification/v4/pckcert
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
cpusvn | String | Query | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
pcesvn | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCESVN value (2 bytes, little endian) |
pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcert
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
cpusvn | String | Body Field | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
pcesvn | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCESVN value (2 bytes, little endian) |
pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{ "platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..." }
Example Request
curl -v -X POST --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Model
PckCert (X-PEM-FILE) - PEM-encoded representation of SGX PCK Certificate in case of success (200 HTTP status code)
Example Response
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Status Codes
Code | Model | Headers | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
200 | PckCert |
Content-Type - application/x-pem-file Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-Certificate-Issuer-Chain - URL-encoded Issuer Certificate chain for SGX PCK Certificate in PEM format. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). SGX-TCBm - Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes). SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:
Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful | ||||||||||||||
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:
|
Invalid request parameters. | |||||||||||||||
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |||||||||||||||
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
PCK Certificate for provided {ppid}, {cpusvn}, {pcesvn} and {pceid} cannot be found. | |||||||||||||||
429 |
Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Too many requests, limit has been reached. | |||||||||||||||
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |||||||||||||||
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get PCK Certificates V4
The Get PCK Certificates API allows requesting PCK certificates for all configured TCB levels for given platform by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only).
Get PCK Certificates using PPID is available for:
- single-socket platforms - using this API does not require any prerequisites.
- multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.
Get PCK Certificates using Platform Manifest is available for:
- multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.
Setting Key Caching Policy for multi-socket platforms:
- if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
- if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.
GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on encrypted PPID and PCE-ID (supports both single and multi-package platforms).
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts?encrypted_ppid={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
cpusvn | String | Query | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config?encrypted_ppid={}&pceid={}&cpusvn={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on Platform Manifest and PCE-ID (supports multi-package platforms only).
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{ "platformManifest":"...", "pceid":"..." }
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Response description can be found here.
POST https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
cpusvn | String | Body Field | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{ "platformManifest":"...", "cpusvn":"...", "pceid":"..." }
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"...", "cpusvn":"..."}' "https://api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Model
PckCerts (JSON) - Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code)
PckCerts: type: array description: >- Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code) items: type: object properties: tcb: type: object properties: sgxtcbcomp01svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp02svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp03svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp04svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp05svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp06svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp07svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp08svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp09svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp10svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp11svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp12svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp13svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp14svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp15svn: type: integer example: 0 minimum: 0 maximum: 255 sgxtcbcomp16svn: type: integer example: 0 minimum: 0 maximum: 255 pcesvn: type: integer example: 0 minimum: 0 maximum: 65535 tcbm: type: string description: >- Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate pattern: '^[0-9a-fA-F]{36}$' example: '000000000000000000000000000000000000' cert: type: string description: >- URL-encoded SGX PCK Certificate in PEM format for given TCB or "Not available" string if the certificate is not available for given TCB. The certificate may not be available for given TCB in case an updated Platform Manifest for a multi-package platform has not been provided to the backend after a TCB recovery (either via direct or indirect registration). example: >- -----BEGIN%20CERTIFICATE----- %0AMIIE8DCCBJagAwIBAgIVAIx6%2FEOyg7ZDHYYaL6Z5iqyMdMpjMAoGCCqGSM49BAMCMHAxIj AgBgNV%0ABAMMGUludGVsIFNHWCBQQ0sgUGxhdGZvcm0gQ0ExGjAYBgNVBAoMEUludGVsIENvcn BvcmF0aW9u%0AMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAl VTMB4XDTIwMDcy%0ANzA4NDczOFoXDTI3MDcyNzA4NDczOFowcDEiMCAGA1UEAwwZSW50ZWwgU0 dYIFBDSyBDZXJ0aWZp%0AY2F0ZTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNVBA cMC1NhbnRhIENsYXJhMQsw%0ACQYDVQQIDAJDQTELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBg gqhkjOPQMBBwNCAAQgWNUqMBKh%0Alrouhd5SiIBmTo8N2xPyhz215ho9SqCv00Us%2B6EcxpfH Xp%2BYAAATDNVqlECXoSIxnOK4RsbY0S%2FL%0Ao4IDCzCCAwcwHwYDVR0jBBgwFoAU7bmCA3Tz blbsRZSTub7BGnDEPbQwYgYDVR0fBFswWTBXoFWg%0AU4ZRaHR0cHM6Ly9wcmUxMy1ncmVlbi1w Y3Muc2d4bnAuYWRzZGNzcC5jb20vc2d4L2NlcnRpZmlj%0AYXRpb24vdjEvcGNrY3JsP2NhPXBs YXRmb3JtMB0GA1UdDgQWBBTbgGt0tP%2BaSI89ptnNDwof4bHa%0ASzAOBgNVHQ8BAf8EBAMCBs AwDAYDVR0TAQH%2FBAIwADCCAkEGCSqGSIb4TQENAQSCAjIwggIuMB4G%0ACiqGSIb4TQENAQEE EK4HEak9TrzqF3358MLSuggwggFrBgoqhkiG%2BE0BDQECMIIBWzAQBgsqhkiG%0A%2BE0BDQEC AQIBADARBgsqhkiG%2BE0BDQECAgICAPAwEAYLKoZIhvhNAQ0BAgMCAXswEAYLKoZIhvhN%0AAQ 0BAgQCAVowEAYLKoZIhvhNAQ0BAgUCAXUwEQYLKoZIhvhNAQ0BAgYCAgDtMBEGCyqGSIb4TQEN% 0AAQIHAgIAiDAQBgsqhkiG%2BE0BDQECCAIBBjARBgsqhkiG%2BE0BDQECCQICAMQwEAYLKoZIh vhNAQ0B%0AAgoCAWowEAYLKoZIhvhNAQ0BAgsCARwwEAYLKoZIhvhNAQ0BAgwCAXMwEAYLKoZIh vhNAQ0BAg0C%0AAVIwEQYLKoZIhvhNAQ0BAg4CAgCdMBEGCyqGSIb4TQENAQIPAgIAljARBgsqh kiG%2BE0BDQECEAIC%0AAJswEQYLKoZIhvhNAQ0BAhECAkztMB8GCyqGSIb4TQENAQISBBAA8Ht ade2IBsRqHHNSnZabMBAG%0ACiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBo%2F8CgIAA DAPBgoqhkiG%2BE0BDQEFCgEBMB4G%0ACiqGSIb4TQENAQYEEDhymiRlB1pOAOALuVr4fOswRAY KKoZIhvhNAQ0BBzA2MBAGCyqGSIb4TQEN%0AAQcBAQH%2FMBAGCyqGSIb4TQENAQcCAQH%2FMBA GCyqGSIb4TQENAQcDAQH%2FMAoGCCqGSM49BAMCA0gA%0AMEUCIQCYzJBFtntwahPzxlDyi1HvP SNYQM%2F8nT4FedqhSyCzNAIgNCHbVVscxqxLsMeaDhT%2Bsjki%0AT57%2BUJFdNYTUSou15ks %3D%0A -----END%20CERTIFICATE-----
Example Response
[ { "tcb":{ "sgxtcbcomp01svn":0, "sgxtcbcomp02svn":0, "sgxtcbcomp03svn":0, "sgxtcbcomp04svn":0, "sgxtcbcomp05svn":0, "sgxtcbcomp06svn":0, "sgxtcbcomp07svn":0, "sgxtcbcomp08svn":0, "sgxtcbcomp09svn":0, "sgxtcbcomp10svn":0, "sgxtcbcomp11svn":0, "sgxtcbcomp12svn":0, "sgxtcbcomp13svn":0, "sgxtcbcomp14svn":0, "sgxtcbcomp15svn":0, "sgxtcbcomp16svn":0, "pcesvn":0 }, "tcbm":"000000000000000000000000000000000000", "cert":"-----BEGIN%20CERTIFICATE-----%0A...%3D%3D%0A-----END%20CERTIFICATE-----" } ]
Status Codes
Code | Model | Headers | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
200 | PckCerts |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-Certificate-Issuer-Chain - Issuer Certificate chain for SGX PCK Certificates. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes). SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:
Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful. | ||||||||||||||
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:
|
Invalid request parameters. | |||||||||||||||
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |||||||||||||||
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
No PCK Certificate for provided {ppid} and {pceid} cannot be found. | |||||||||||||||
429 |
Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Too many requests, limit has been reached. | |||||||||||||||
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |||||||||||||||
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get Revocation List V4
Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA or Platform CA.
GET https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
ca | String | Query | True | (processor|platform) | Identifier of the CA that issued the requested CRL. Allowed values:
|
encoding | String | Query | False | (pem|der) | Optional identifier of the encoding for the requested CRL. If the parameter is not provided, PEM encoding is assumed. |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca={}&encoding={}"
Response
Model
PckCrl (X-PEM-FILE, PKIX-CRL) - PEM or DER-encoded representation of SGX Platform CA CRL or SGX Processor CA CRL in case of success (200 HTTP status code).
Example Response
-----BEGIN X509 CRL----- ... -----END X509 CRL-----
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | PckCrl |
Content-Type - The value depends on the encoding of CRL:
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-CRL-Issuer-Chain - Issuer Certificate chain for SGX PCK CRL. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful. |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get SGX TCB Info V4
Retrieve SGX TCB information for given FMSPC.
Determining the status of a SGX TCB level for a given platform needs to be done using SGX TCB information according to the following algorithm:
- Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
- Retrieve SGX TCB Info matching the FMSPC value.
-
Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
- Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
- Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, read status assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
- If no TCB level matches your SGX PCK Certificate, your TCB Level is not supported.
GET https://api.trustedservices.intel.com/sgx/certification/v4/tcb
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
fmspc | String | Query | True | ^[0-9a-fA-F]{12}$ | Base16-encoded FMSPC value (6 bytes, byte array) |
update | String | Query | False | (early|standard) | Type of update to TCB Info If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc={}&update={}"
Example Response
"tcbInfo": { "id": "SGX", "version": 3, "issueDate": "2022-04-13T09:38:17Z", "nextUpdate": "2022-05-13T09:38:17Z", "fmspc": "50806F000000", "pceId": "0000", "tcbType": 0, "tcbEvaluationDataNumber": 12, "tcbLevels": [ { "tcb": { "sgxtcbcomponents": [ { "svn": 1, "category": "BIOS", "type": "Early Microcode Update" }, { "svn": 1, "category": "OS/VMM", "type": "SGX Late Microcode Update" }, { "svn": 2, "category": "OS/VMM", "type": "TXT SINIT" }, { "svn": 2, "category": "BIOS" }, { "svn": 2, "category": "BIOS" }, { "svn": 1, "category": "BIOS" }, { "svn": 0 }, { "svn": 2, "category": "OS/VMM", "type": "SEAMLDR ACM" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ], "pcesvn": 11 }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" }, { "tcb": { "sgxtcbcomponents": [ { "svn": 1, "category": "BIOS", "type": "Early Microcode Update" }, { "svn": 1, "category": "OS/VMM", "type": "SGX Late Microcode Update" }, { "svn": 2, "category": "OS/VMM", "type": "TXT SINIT" }, { "svn": 2, "category": "BIOS" }, { "svn": 2, "category": "BIOS" }, { "svn": 1, "category": "BIOS" }, { "svn": 0 }, { "svn": 2, "category": "OS/VMM", "type": "SEAMLDR ACM" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ], "pcesvn": 5 }, "tcbDate": "2018-01-04T00:00:00Z", "tcbStatus": "OutOfDate" } ] }, "signature": "e9de1198f5b8ce22c626ac4182b92a83ba61693f483a398dc5c2afed65d757cb35cefd7e284cb1f4fbdb9a6e74171fe72bf724050dde5e8d6d93d2339eea3cf2" }
Response
Model - Appendix A: TCB Info V3
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | TcbInfoV3 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate. Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
TCB information for provided {fmspc} cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get TDX TCB Info V4
Retrieve TDX TCB information for given FMSPC.
Determining the status of a TDX TCB level for a given platform needs to be done using TDX TCB information according to the following algorithm:
- Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
- Retrieve TDX TCB Info matching the FMSPC value.
-
Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
- Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
- Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, go to 3.c, otherwise move to the next item on TCB Levels list.
- Compare SVNs in TEE TCB SVN array retrieved from TD Report in Quote (from index 0 to 15 if TEE TCB SVN at index 1 is set to 0, or from index 2 to 15 otherwise) with the corresponding values of SVNs in tdxtcbcomponents array of TCB Level. If all TEE TCB SVNs in the TD Report are greater or equal to the corresponding values in TCB Level, read tcbStatus assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
- If no TCB level matches your SGX PCK Certificate and TD Report, your TCB level is not supported.
- Perform additional TCB status evaluation for TDX module in case TEE TCB SVN at index 1 is greater or equal to 1, otherwise finish the comparison logic. In order to determine TCB status of TDX module, find a matching TDX Module Identity (in tdxModuleIdentities array of TCB Info) with its id set to "TDX_<version>" where <version> matches the value of TEE TCB SVN at index 1. If a matching TDX Module Identity cannot be found, go to step 6, otherwise, for the selected TDX Module Identity go over the sorted collection of TCB Levels starting from the first item on the list and compare its isvsvn value to the TEE TCB SVN at index 0. If TEE TCB SVN at index 0 is greater or equal to its value, read tcbStatus assigned to this TCB level, otherwise move to the next item on TCB levels list.
- If no TCB level matches, the TCB level of TDX Module is not supported.
GET https://api.trustedservices.intel.com/tdx/certification/v4/tcb
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
fmspc | String | Query | True | ^[0-9a-fA-F]{12}$ | Base16-encoded FMSPC value (6 bytes, byte array) |
update | String | Query | False | (early|standard) | Type of update to TCB Info If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/tdx/certification/v4/tcb?fmspc={}&update={}"
Example Response
{ "tcbInfo": { "id": "TDX", "version": 3, "issueDate": "2022-04-13T09:37:45Z", "nextUpdate": "2022-05-13T09:37:45Z", "fmspc": "50806F000000", "pceId": "0000", "tcbType": 0, "tcbEvaluationDataNumber": 12, "tdxModule": { "mrsigner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "attributes": "0000000000000000", "attributesMask": "FFFFFFFFFFFFFFFF" }, "tcbLevels": [ { "tcb": { "sgxtcbcomponents": [ { "svn": 1, "category": "BIOS", "type": "Early Microcode Update" }, { "svn": 1, "category": "OS/VMM", "type": "SGX Late Microcode Update" }, { "svn": 2, "category": "OS/VMM", "type": "TXT SINIT" }, { "svn": 2, "category": "BIOS" }, { "svn": 2, "category": "BIOS" }, { "svn": 1, "category": "BIOS" }, { "svn": 0 }, { "svn": 2, "category": "OS/VMM", "type": "SEAMLDR ACM" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ], "pcesvn": 11, "tdxtcbcomponents": [ { "svn": 2, "category": "OS/VMM", "type": "TDX Module" }, { "svn": 0 }, { "svn": 1, "category": "OS/VMM", "type": "TDX Late Microcode Update" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ] }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" }, { "tcb": { "sgxtcbcomponents": [ { "svn": 1, "category": "BIOS", "type": "Early Microcode Update" }, { "svn": 1, "category": "OS/VMM", "type": "SGX Late Microcode Update" }, { "svn": 2, "category": "OS/VMM", "type": "TXT SINIT" }, { "svn": 2, "category": "BIOS" }, { "svn": 2, "category": "BIOS" }, { "svn": 1, "category": "BIOS" }, { "svn": 0 }, { "svn": 2, "category": "OS/VMM", "type": "SEAMLDR ACM" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ], "pcesvn": 5, "tdxtcbcomponents": [ { "svn": 2, "category": "OS/VMM", "type": "TDX Module" }, { "svn": 0 }, { "svn": 1, "category": "OS/VMM", "type": "TDX Late Microcode Update" }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 }, { "svn": 0 } ] }, "tcbDate": "2018-01-04T00:00:00Z", "tcbStatus": "OutOfDate" } ] }, "signature": "567769750d895be97ef0cb1eb951f1cf78bf0dfbacd8ad50ad3b1a46623cd4827daf69edcb3cbf283c1ab177bf417a4353a0346ba956b38f4816ff739fe935e6" }
Response
Model - Appendix A: TCB Info V3
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | TcbInfoV3 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate. Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
TCB information for provided {fmspc} cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Enclave Identity V4
Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Enclave Identity issued by Intel requires following steps:
- Retrieve Enclave Identity(SGX QE, TDX QE, QVE or QAE) from PCS and verify that it is a valid structure issued by Intel.
- Perform the following comparison of SGX Enclave Report against the retrieved Enclave Identity:
- Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in Enclave Identity.
- Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in Enclave Identity.
- Apply miscselectMask (binary mask) from Enclave Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in Enclave Identity.
- Apply attributesMask (binary mask) from Enclave Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in Enclave Identity.
- If any of the checks above fail, the identity of the enclave does not match Enclave Identity published by Intel.
-
Determine a TCB status of the Enclave:
- Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in Enclave Identity structure.
- Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
- If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.
GET https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
update | String | Query | False | (early|standard) | Type of update to QE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QE Identity information cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{ "enclaveIdentity": { "id": "QE", "version": 2, "issueDate": "2022-04-13T10:15:38Z", "nextUpdate": "2022-05-13T10:15:38Z", "tcbEvaluationDataNumber": 12, "miscselect": "00000000", "miscselectMask": "FFFFFFFF", "attributes": "11000000000000000000000000000000", "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000", "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF", "isvprodid": 1, "tcbLevels": [ { "tcb": { "isvsvn": 6 }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" }, { "tcb": { "isvsvn": 5 }, "tcbDate": "2020-11-11T00:00:00Z", "tcbStatus": "OutOfDate" }, { "tcb": { "isvsvn": 4 }, "tcbDate": "2019-11-13T00:00:00Z", "tcbStatus": "OutOfDate" }, { "tcb": { "isvsvn": 2 }, "tcbDate": "2019-05-15T00:00:00Z", "tcbStatus": "OutOfDate" }, { "tcb": { "isvsvn": 1 }, "tcbDate": "2018-08-15T00:00:00Z", "tcbStatus": "OutOfDate" } ] }, "signature": "225359b14e870bd81a9e92691cdf5af520883688ec326af0327047a8516e0329c0ba94e1fec24be74f99ca6e7cffb5b46332346edc72e7063096e01340253c06" }
GET https://api.trustedservices.intel.com/tdx/certification/v4/qe/identity
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
update | String | Query | False | (early|standard) | Type of update to QE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/tdx/certification/v4/qe/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for TDX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QE Identity information cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{ "enclaveIdentity": { "id": "TD_QE", "version": 2, "issueDate": "2022-04-13T09:37:47Z", "nextUpdate": "2022-05-13T09:37:47Z", "tcbEvaluationDataNumber": 12, "miscselect": "00000000", "miscselectMask": "FFFFFFFF", "attributes": "11000000000000000000000000000000", "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000", "mrsigner": "DC9E2A7C6F948F17474E34A7FC43ED030F7C1563F1BABDDF6340C82E0E54A8C5", "isvprodid": 2, "tcbLevels": [ { "tcb": { "isvsvn": 3 }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" } ] }, "signature": "9d4d56c41e80cc44df5ec2ad52f309d8364b444f5b83efc48a0c1393afd11c288754ed77b63bce2a7c59c75ae2012606e1d926cf295f3d0b59e1848a8de36efd" }
GET https://api.trustedservices.intel.com/sgx/certification/v4/qve/identity
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
update | String | Query | False | (early|standard) | Type of update to QVE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qve/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QVE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QVE Identity information cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{ "enclaveIdentity": { "id": "QVE", "version": 2, "issueDate": "2022-04-13T09:37:47Z", "nextUpdate": "2022-05-13T09:37:47Z", "tcbEvaluationDataNumber": 12, "miscselect": "00000000", "miscselectMask": "FFFFFFFF", "attributes": "01000000000000000000000000000000", "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000", "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF", "isvprodid": 2, "tcbLevels": [ { "tcb": { "isvsvn": 3 }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" } ] }, "signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c" }
GET https://api.trustedservices.intel.com/sgx/certification/v4/qae/identity
Request
Name | Type | Request Type | Required | Pattern | Description |
---|---|---|---|---|---|
update | String | Query | False | (early|standard) | Type of update to QAE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly approximately 8 weeks after public disclosure of the items in scope, but can vary based on overall scope**) |
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/qae/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
Code | Model | Headers | Description |
---|---|---|---|
200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QAE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QAE Identity information cannot be found. | |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{ "enclaveIdentity": { "id": "QAE", "version": 2, "issueDate": "2022-04-13T09:37:47Z", "nextUpdate": "2022-05-13T09:37:47Z", "tcbEvaluationDataNumber": 12, "miscselect": "00000000", "miscselectMask": "FFFFFFFF", "attributes": "01000000000000000000000000000000", "attributesMask": "FBFFFFFFFFFFFFFF0000000000000000", "mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF", "isvprodid": 2, "tcbLevels": [ { "tcb": { "isvsvn": 3 }, "tcbDate": "2021-11-10T00:00:00Z", "tcbStatus": "UpToDate" } ] }, "signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c" }
Retrieve FMSPCs V4
Retrieve list of FMSPC values for SGX and TDX platforms supporting DCAP attestation.
GET https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs
Request
Name | Type | Request Type | Required | Description |
---|---|---|---|---|
platform | String | Query | False |
Optional identifier of the platform types to query Allowed values:
|
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs?platform={}
Response
Status Codes
Code | Headers | Description |
---|---|---|
200 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. |
500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred |
503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
[ { "fmspc": "AABBCCDD0000", "platform": "E3" }, { "fmspc": "123456780000", "platform": "E5" }, { "fmspc": "876543210000", "platform": "client" } ]
Appendix A: TCB Info V3
Response
Model
TcbInfoV3 (JSON) - SGX/TDX TCB Info encoded as JSON string in case of success (200 HTTP status code)
TcbInfoV3: type: object description: >- SGX TCB Info encoded as JSON string in case of success (200 HTTP status code) properties: tcbInfo: type: object properties: id: type: string description: Identifier of the TCB Info issued by Intel. Supported values are SGX or TDX. version: type: integer example: 2 description: Version of the structure issueDate: type: string format: date-time description: >- Representation of date and time the TCB information was created. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ) nextUpdate: type: string format: date-time description: >- Representation of date and time by which next TCB information will be issued. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ) fmspc: type: string pattern: ^[0-9a-fA-F]{12}$ example: '000000000000' description: >- Base 16-encoded string representation of FMSPC (Family-Model-Stepping-Platform-CustomSKU) pceId: type: string pattern: ^[0-9a-fA-F]{4}$ example: '0000' description: Base 16-encoded string representation of PCE identifier tcbType: type: integer example: 0 description: >- Type of TCB level composition that determines TCB level comparison logic tcbEvaluationDataNumber: type: integer example: 2 description: >- A monotonically increasing sequence number changed when Intel updates the content of the TCB evaluation data set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber update is synchronized across TCB Info for all flavors of SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE Identity. This sequence number allows users to easily determine when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current TCB Recovery event number stored in the database). tdxModule: type: object description: >- This field is optional. It will be present only in context of TDX TCB Info. properties: mrsigner: type: string pattern: ^[0-9a-fA-F]{96}$ example: '0000000000000000000000000000000000000000000000000000000000000000' description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer. attributes: type: string pattern: ^[0-9a-fA-F]{16}$ example: '0000000000000000' description: Hex-encoded byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module. attributesMask: type: string pattern: ^[0-9a-fA-F]{16}$ example: 'FFFFFFFFFFFFFFFF' description: Hex-encoded byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform. tdxModuleIdentities: type: array description: >- This field is optional. It will be present only in context of TDX TCB Info when the platform supports more than one TDX SEAM Module. items: type: object properties: id: type: string description: Identifier of TDX Module mrsigner: type: string pattern: ^[0-9a-fA-F]{96}$ example: '0000000000000000000000000000000000000000000000000000000000000000' description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer. attributes: type: string pattern: ^[0-9a-fA-F]{16}$ example: '0000000000000000' description: Base 16-encoded string representation of the byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module. attributesMask: type: string pattern: ^[0-9a-fA-F]{16}$ example: 'FFFFFFFFFFFFFFFF' description: Base 16-encoded string representation of the byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform. tcbLevels: type: array description: >- Sorted list of supported TCB levels for given TDX SEAM module encoded as a JSON array of TCB level objects. items: type: object properties: tcb: type: object properties: isvnsvn: description: TDX SEAM module's ISV SVN type: integer tcbDate: type: string format: date-time description: >- If there are security advisories published by Intel after tcbDate that are for issues whose mitigations are currently enforced* by SGX/TDX attestation, then the value of tcbStatus for the TCB level will not be UpToDate. Otherwise (i.e., either no advisories after or not currently enforced), the value of tcbStatus for the TCB level will not be OutOfDate. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ). tcbStatus: type: string enum: - UpToDate - OutOfDate - Revoked description: >- TCB level status. One of the following values: "UpToDate" - TCB level of the TDX SEAM Module is up-to-date. "OutOfDate" - TCB level of TDX SEAM Module is outdated. "Revoked" - TCB level of TDX SEAM Module is revoked. The platform is not trustworthy. advisoryIDs: type: array description: >- Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of tcbStatus for this TCB level when the value is not UpToDate. This field is optional. It will be present only if the list of Advisory IDs is not empty. items: type: string tcbLevels: type: array description: >- Sorted list of supported TCB levels for given FMSPC encoded as a JSON array of TCB level objects items: type: object properties: tcb: type: object properties: sgxtcbcomponents: description: >- Array of 16 SGX TCB Components (as in CPUSVN) encoded as a JSON array of TCB Component objects. items: properties: svn: type: "integer" description: SVN of TCB Component. This field is mandatory. category: type: "string" description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components. type: type: "string" description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components. pcesvn: type: integer example: 0 minimum: 0 maximum: 65535 tdxtcbcomponents: description: >- Array of 16 TDX TCB Components (as in TEE TCB SVN array in TD Report) encoded as a JSON array of TCB Component objects. This field is optional and only present in TDX TCB Info. items: properties: svn: type: "integer" description: SVN of TCB Component. This field is mandatory. category: type: "string" description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components. type: type: "string" description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components. tcbDate: type: string format: date-time description: >- If there are security advisories published by Intel after tcbDate that are for issues whose mitigations are currently enforced* by SGX attestation, then the value of tcbStatus for the TCB level will not be UpToDate. Otherwise (i.e., either no advisories after or not currently enforced), the value of tcbStatus for the TCB level will not be OutOfDate. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ). tcbStatus: type: string enum: - UpToDate - SWHardeningNeeded - ConfigurationNeeded - ConfigurationAndSWHardeningNeeded - OutOfDate - OutOfDateConfigurationNeeded - Revoked description: >- TCB level status. One of the following values: "UpToDate" - TCB level of the SGX platform is up-to-date. "SWHardeningNeeded" - TCB level of the SGX platform is up-to-date but due to certain issues affecting the platform, additional SW Hardening in the attesting SGX enclaves may be needed. "ConfigurationNeeded" - TCB level of the SGX platform is up-to-date but additional configuration of SGX platform may be needed. "ConfigurationAndSWHardeningNeeded" - TCB level of the SGX platform is up-to-date but additional configuration for the platform and SW Hardening in the attesting SGX enclaves may be needed. "OutOfDate" - TCB level of SGX platform is outdated. "OutOfDateConfigurationNeeded" - TCB level of SGX platform is outdated and additional configuration of SGX platform may be needed. "Revoked" - TCB level of SGX platform is revoked. The platform is not trustworthy. advisoryIDs: type: array description: >- Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of tcbStatus for this TCB level when the value is not UpToDate. Note: The value can be different for different FMSPCs. This field is optional. It will be present only if the list of Advisory IDs is not empty. items: type: string signature: type: string description: >- Base 16-encoded string representation of signature calculated over tcbInfo body without whitespaces using TCB Signing Key i.e: {"version":2,"issueDate":"2019-07-30T12:00:00Z","nextUpdate":"2019-08-30T12:00:00Z",...}
Appendix B: Enclave Identity V2
Model
EnclaveIdentityV2 (JSON) - SGX Enclave Identity data structure encoded as JSON string in case of success (200 HTTP status code)
EnclaveIdentityV2: type: object description: SGX Enclave Identity data structure encoded as JSON string in case of success (200 HTTP status code) properties: enclaveIdentity: type: object properties: id: type: string description: Identifier of the SGX Enclave issued by Intel. Supported values are QE, QVE, QAE and TD_QE version: type: integer example: 2 description: Version of the structure issueDate: type: string format: date-time description: >- Representation of date and time the Enclave Identity information was created. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ) nextUpdate: type: string format: date-time description: >- Representation of date and time by which next Enclave Identity information will be issued. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ) tcbEvaluationDataNumber: type: integer example: 2 description: >- A monotonically increasing sequence number changed when Intel updates the content of the TCB evaluation data set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber update is synchronized across TCB Info for all flavors of SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE Identity. This sequence number allows users to easily determine when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current TCB Recovery event number stored in the database). miscselect: type: string pattern: ^[0-9a-fA-F]{8}$ example: '00000000' description: Base 16-encoded string representing miscselect "golden" value (upon applying mask). miscselectMask: type: string pattern: ^[0-9a-fA-F]{8}$ example: '00000000' description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform. attributes: type: string pattern: ^[0-9a-fA-F]{32}$ example: '00000000000000000000000000000000' description: Base 16-encoded string representing attributes "golden" value (upon applying mask). attributesMask: type: string pattern: ^[0-9a-fA-F]{32}$ example: '00000000000000000000000000000000' description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform. mrsigner: type: string pattern: ^[0-9a-fA-F]{64}$ example: '0000000000000000000000000000000000000000000000000000000000000000' description: Base 16-encoded string representing mrsigner hash. isvprodid: type: integer example: 0 minimum: 0 maximum: 65535 description: Enclave Product ID. tcbLevels: description: >- Sorted list of supported Enclave TCB levels for given QE encoded as a JSON array of Enclave TCB level objects. type: array items: type: object properties: tcb: type: object properties: isvsvn: description: SGX Enclave's ISV SVN type: integer tcbDate: type: string format: date-time description: >- If there are security advisories published by Intel after tcbDate that are for issues whose mitigations are currently enforced* by SGX attestation, then the value of tcbStatus for the TCB level will not be UpToDate. Otherwise (i.e., either no advisories after or not currently enforced), the value of tcbStatus for the TCB level will not be OutOfDate. The time shall be in UTC and the encoding shall be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ). tcbStatus: type: string enum: - UpToDate - OutOfDate - Revoked description: >- TCB level status. One of the following values: "UpToDate" - TCB level of the SGX platform is up-to-date. "OutOfDate" - TCB level of SGX platform is outdated. "Revoked" - TCB level of SGX platform is revoked. The platform is not trustworthy. advisoryIDs: type: array description: >- Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of tcbStatus for this TCB level when the value is not UpToDate. This field is optional. It will be present only if the list of Advisory IDs is not empty. items: type: string signature: type: string description: Hex-encoded string representation of a signature calculated over qeIdentity body (without whitespaces) using TCB Info Signing Key.
PCK Certificate and CRL Specification
This document specifies the hierarchy and format of X.509 v3 certificates and X.509 v2 Certificate Revocation Lists (CRLs) issued by Intel for Provisioning Certification Keys.
* Enforcement of a mitigation means that 1) the attestation process can tell whether the mitigation is present or not and 2) the attestation result will be different when the mitigation is present than when it's not. Intel offers verifiers and relying parties different enforcement grace periods through use of an "update" (PCS API) parameter. The value of this parameter can be standard (default) or early. Conclusions drawn when using one value of the parameter should not be applied globally, that is, when enforcement occurs depends on which value of the update parameter is used. Here, attestation result refers to the result of the objective assessment of the attestation, the assessment that only considers whether mitigations are present or not. Relying parties are free to also use additional factors, of their choosing, to determine whether to trust the attesting platform. The relying party's "trust decision" may be different than that suggested by the attestation result. For example, in cases where the attestation result is out of date, but only due to mitigations for very low severity issues being absent, the relying party may choose to proceed as though the attesting platform were up to date, accepting all the security risks of doing so.
** Intel will strive to communicate planned deviations from this schedule via email notifications to registered API subscribers.
Intel, the Intel logo and Xeon are trademarks of Intel Corporation or its subsidiaries.