Intel SGX Attestation Service Utilizing EPID

The Attestation API exposed by the Intel® SGX attestation service is a programming interface for service providers to verify attestation evidence of SGX enabled enclaves. View the Intel SGX EPID API Specification.

Download the Attestation Report Root CA Certificate here:
DER PEM

Intel® SGX Registration Service for Multi-package Platforms

The API exposed by the Intel® SGX registration service allows to register an Intel(R) SGX platform with multiple processor packages as a single platform instance which can be later on remotely attested as a single entity.

The minimum version of the TLS protocol supported by the service is 1.2 - any connection attempts with previous versions of TLS/SSL will be dropped by the server.

Register Platform

This API allows to register multi-package SGX platform (includes initial registration and TCB Recovery). As part of the registration, the platform manifest is authenticated by the Registration Service as originating from a genuine, non-revoked SGX platform. If the platform configuration is verified successfully, platform provisioning root keys are stored in the backend.

Stored platform provisioning root keys are later used to derive public parts of Provisioning Certification Keys (PCKs) that are distributed in the form of x.509 certificates by the Provisioning Certification Service for Intel® SGX. PCK certificates are used during remote attestation of the platform.

POST https://api.trustedservices.intel.com/sgx/registration/v1/platform

Request

Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).
Name Required Value Description
Content-Type True application/octet-stream MIME type of the request body.
Body

Binary representation of Platform Manifest structure - an opaque blob that represents a registration manifest for multi-package platform. It contains platform provisioning root keys established by given platform instance and data required to authenticate the platform as a genuine, non-revoked SGX platform.

Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @platform_manifest -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"

Response

Model

Hex-encoded representation of PPID for the registered platform instance (only if HTTP Status Code is 201, empty body otherwise).

Example Response
00112233445566778899AABBCCDDEEFF
Status Codes
Status Code Headers Body Description
201

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Hex-encoded representation of PPID for the registered platform instance.

Operation successful (new platform instance registered). A new platform instance has been registered in the backend.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Error-Code and Error-Message:

  • InvalidRequestSyntax - The request could not be understood by the server due to malformed syntax.
  • InvalidRegistrationServer - The request was rejected by the server as it is intended to be processed by a different instance of Registration Server (Registration Server Authentication Key mismatch).
  • InvalidOrRevokedPackage - The request was rejected by the server due to invalid or revoked processor package.
  • PackageNotFound - The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
  • IncompatiblePackage - The request was rejected by the server as at least one of the processor packages is incompatible with rest of the processor packages forming the platform.
  • InvalidPlatformManifest - The request was rejected by the server due to invalid platform configuration.
  • CachedKeysPolicyViolation - The request was rejected due to a different policy for keys caching being set for this Platform Instance.

Invalid Platform Manifest. The client should not repeat the request without modifications.

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and ErrorMessage.

415

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

MIME type specified in the request is not supported by the server.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request. The client should try to repeat its request after some time.

Add Package

Subscription Required

Add new package(s) to an already registered platform instance. If the request is successful, a Platform Membership Certificate is generated for each processor package in Add Request.

POST https://api.trustedservices.intel.com/sgx/registration/v1/package

Request

Headers
Besides headers explicitly mentioned in the table below, the HTTP request may contain standard HTTP headers required in the request (e.g. Content-Length).
Name Required Value Description
Ocp-Apim-Subscription-Key True Subscription key which provides access to this API. It can be found in your Profile.
Content-Type True application/octet-stream MIME type of the request body.
Body

Binary representation of Add Request structure - an opaque blob that represents a request for adding new processors packages to an existing platform instance.

Example Request
curl -H "Content-Type: application/octet-stream" -v --data-binary @add_package -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/package" -H "Ocp-Apim-Subscription-Key: {subscription key}"

Response

Model

In case of 200 HTTP Status Code: Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other.
Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed.

Example Response (hex-encoded)
EBBD00C0EF904910A480F772E7355DB4C90401000000000000000000000000000348E55FE5BB604086B7CFBF7BD00235A1A492C64BDC948CB
35B4D48404BE3CAC68090F19E5D4B985136D9A160B04425B9B709CCD8D46F024EB65330E781312B74D5D1A8BD8F0BCBB9041530E022F24B4B
C9AF1E45F551956633494D924DDC81E546085A340B5D1F58E5BD5726E87238715FDF8133CA1DC4E1304550C1956143932817207F3697DB9C5
A35433FD573CFA4C8494C8C1536E4046CC3507304E5A557A31F7576EE10DC3E2626996EC014CC990AE2CC69095CE933C283FC3A3FB5F02139
BD700FBCB5C1715031F3A810A097479A82D02A38CB7071E72D73DF4B31E9E236E96164DCD175ACBCD68E7EF34FF0EDEF1A28F5B9558A3E90D
662A21A1055F2FEA1D54F4BF3D464EBB02AF1EDD3270F06B64F651CBE06C34E345BFB6BF8FC67B6FE83A697A890EF946C285261D6458F4C7B
18CCAC29841574A7EC62427642FDE7E862C3C387786429B4F3CE7D9509CB7115DAF6E68F0DE426ACF3B87FB3CCC3B3ED33853F8EBC6D3AE82
4471087F5EB3A2EA43F137D6D184D16420042A5C274E22C2846B570D8277E5DCB2EAF285C0DE53F4260B22CBCD63BA07C47861E799A8D18BF
496BC3F89BE7BEB28A2EBD34DA41486B2A183AB568251D2FDC0DEFD88701000100CB0C25CAFDB9C17FC17C6E5F6496EF7276382CAF199CB5B
B3CE3186DE3F35552ED3717ACCB87757126634AF6A3254ADEEDA46C34C1EEA4356A2FD412B07CE57F263749BD5B3D9BA2ED51DBBAED9C9DA1
104EAD2D31432DC19B04E782DB75C616850C2E86DB5390CE946272DD6C7A885D39407A1BCC719C3D05A36BA29FD85A670BCD26B8B943B5B6D
F92FE21AE5935413DC3F1DA53B79DD0730ABB7DF255C895A578F83290F4956DD50F2E367FEF47886EF24A74792C45BE1FA5C2FFC34A47C012
F47BE52FB9635532983CBA4563AB517BB36A6951AE64ABA71919DD8E83A974645A785A2FB889F6DC056DAED2B11F1FDC979E811DBB519DA7C
9154A6584036A44C6E226E1EB8612D1EDA68D242C2E25B64474442F78C4D729AF021790E385794701E7840BECE4833BB58565D36488B8A44A
D9CBF9745D9C28A02108BF24A758B224964ABDEFD01941DB82E5141E39C43D8AA5CA48502813BB7E04173C36C67086B036162EAE860C6DA7F
4688C9699A29A5B72914F225308002BC00EE571C0A201000100A33178AD01C653A70C05C83203C2285A6FD93B64E379421F47086B841C682D
9D0F6BC2AC11FE3C6D01ADF99BBD6F46C9A77F5C79EFBDB17D65E671ACB4FD8800B8E481CE680D7450EE7BC19B429648B7B44A5D550FFB41B
F8B393D1C3729F7AF7549EEA0661EBF9B0895B9DAFFB3A41E29B119E409A2E31B8BE30D7A714C79976BA9A8051322C12B281F40A3003995E9
756134B803DEC923BF984776F966564F71CCA014C63DF6EC4277B3C0A690EC8FFFD89B5FC9A63DF37B902A4D25F17A55886D0E441318E9905
B2DC0D1B2BF4562D610E234FF829424926F10FB1F60371E7E433E84B854B094A5C7321ADFEBBF934FB3271515A62D441421D7ED96D46B68A2
FAAACC045FFC8E0DA9D17C5DEBE217C762F23AD6AC3FBE7E7E71BB5228A5D6F5C098C509D975E8FE15EE8FDA956D3334BDC1CFE428DC0E8F9
C799831094346A45F4C4D1B961BFC07A4FBC89DEA759DA92447B2026B49B8A7BE428F58051A8C08DFE6B82FBE7457DCFD45A45FDD7C2477CC
CDA8FFF760AA0F126B7F0ED58E510000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
...
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Status Codes
Status Code Headers Body Description
200

Content-Type - MIME type of the response body. Value is "application/octet-stream".

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Certificate-Count - Number of Platform Membership Certificates returned in response body.

Fixed size array (8 elements) containing binary representation of Platform Membership Certificate structures attached to each other. Certificates are populated sequentialy in the array starting with index 0, rest of the elements in the array is zeroed.

Operation successful. Packages have been added to an existing platform instance.
400

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Error-Code and Error-Message:

  • InvalidRequestSyntax - The request could not be understood by the server due to malformed syntax.
  • PlatformNotFound - The request was rejected by the server as provided platform instance is not recognized by the server.
  • InvalidOrRevokedPackage - The request was rejected by the server due to invalid or revoked processor package.
  • PackageNotFound - The request was rejected by the server as at least one of the processor packages could not be recognized by the server.
  • InvalidAddRequest - The request was rejected by the server as the AddRequest was invalid.

Invalid Add Request Payload. The client should not repeat the request without modifications.

Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message.

401

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
415

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

MIME type specified in the request is not supported by the server.
500

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Intel SGX Provisioning Certification Service for ECDSA Attestation

Get PCK Certificate V3

Subscription Required

The Get PCK Certificate API allows requesting a single PCK certificate by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only) and a set of SVNs.

Get PCK Certificate using PPID and SVNs is available for:

  • single-socket platforms - using this API does not require any prerequisites.
  • multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.

Get PCK Certificate using Platform Manifest and SVNs is available for:

  • multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.

Setting Key Caching Policy for multi-socket platforms:

  • if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
  • if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.

NOTICE: When you use that single PCK Certificate, the PCS will return the PCK Certificate that represents the TCB level with the highest security posture based on the SGX patching level applied to the platform. The platform’s patching level is represented by the following inputs: CPUSVN and PCE ISVSVN.

GEThttps://api.trustedservices.intel.com/sgx/certification/v3/pckcert

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. It can be found in your Profile.
PPID-Encryption-Key String Header False Type of key used to encrypt PPID.If not specified, “RSA-3072” will be used as default. Currently supported values: “RSA-3072”
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
cpusvn String Query True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pcesvn String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCESVN value (2 bytes, little endian)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

POST https://api.trustedservices.intel.com/sgx/certification/v3/pckcert

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
cpusvn String Body Field True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pcesvn String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCESVN value (2 bytes, little endian)
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "cpusvn":"...",
    "pcesvn":"...",
    "pceid":"..."
}
                        
Example Request
curl -v --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' -X POST "https://api.trustedservices.intel.com/sgx/certification/v3/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

Response

Model

PckCert (X-PEM-FILE) - PEM-encoded representation of SGX PCK Certificate in case of success (200 HTTP status code)

Example Response
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
                            
Status Codes
Code Model Headers Description
200 PckCert

Content-Type (String) - application/x-pem-file

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain (String) - URL-encoded Issuer Certificate chain for SGX PCK Certificate in PEM format. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

SGX-TCBm (String) - Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate

SGX-FMSPC (String) - Hex-encoded string representation of FMSPC (6 bytes).

SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:

  • “processor” indicates a certificate issued by Intel SGX Processor CA.
  • “platform” indicates a certificate issued by Intel SGX Platform CA.

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

PCK Certificate for provided {ppid}, {cpusvn}, {pcesvn} and {pceid} cannot be found. In case of a multi-package platform that may indicate that that an updated Platform Manifest has not been provided to the backend after a TCB recovery event.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get PCK Certificates V3

Subscription Required

The Get PCK Certificates API allows requesting PCK certificates for all configured TCB levels for given platform by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only).

Get PCK Certificates using PPID is available for:

  • single-socket platforms - using this API does not require any prerequisites.
  • multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.

Get PCK Certificates using Platform Manifest is available for:

  • multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.

Setting Key Caching Policy for multi-socket platforms:

  • if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
  • if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.

GET https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on encrypted PPID and PCE-ID (supports both single and multi-package platforms).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. It can be found in your Profile.
PPID-Encryption-Key String Header False Type of key used to encrypt PPID.If not specified, “RSA-3072” will be used as default. Currently supported values: “RSA-3072”
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts?encrypted_ppid={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

POST https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on Platform Manifest and PCE-ID (supports multi-package platforms only).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "pceid":"..."
}
                        
Example Request
curl -v --data '{"platformManifest":"...", "pceid":"..."}' -X POST "https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

POST https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts/config

Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. It can be found in your Profile.
Content-Type String Header True Content Type key which is corresponding to body format application/json.
platformManifest String Body Field True ^[0-9a-fA-F]{16862,112884}$ Base 16-encoded representation of Platform Manifest.
cpusvn String Body Field True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pceid String Body Field True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Body
{
    "platformManifest":"...",
    "cpusvn":"...",
    "pceid":"..."
}
                        
Example Request
curl -v --data '{"platformManifest":"...", "pceid":"...", "cpusvn":"..."}' -X POST "https://api.trustedservices.intel.com/sgx/certification/v3/pckcerts/config" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json" 

Response

Model

PckCerts (JSON) - Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code)

PckCerts:
        type: array
        description: >-
            Array of data structures consisting of tcb, tcbm and certificate
            encoded as JSON string in case of success (200 HTTP status code)
        items:
            type: object
            properties:
                tcb:
                    type: object
                    properties:
                        sgxtcbcomp01svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp02svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp03svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp04svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp05svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp06svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp07svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp08svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp09svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp10svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp11svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp12svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp13svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp14svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp15svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp16svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        pcesvn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 65535
                tcbm:
                    type: string
                    description: >-
                        Hex-encoded string representation of concatenation of
                        CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in
                        corresponding SGX PCK Certificate
                    pattern: '^[0-9a-fA-F]{36}$'
                    example: '000000000000000000000000000000000000'
                cert:
                    type: string
                    description: >-
                        URL encoded SGX PCK Certificate in PEM format for given TCB
                        or “Not available” string if the certificate is not available for given TCB.
                        The certificate may not be available for given TCB
                        in case an updated Platform Manifest for a multi-package platform
                        have not been provided to the backend after a TCB recovery
                        (either via direct or indirect registration).
                    example: >-
                        -----BEGIN%20CERTIFICATE-----
                        %0AMIIE8DCCBJagAwIBAgIVAIx6%2FEOyg7ZDHYYaL6Z5iqyMdMpjMAoGCCqGSM49BAMCMHAxIj
                        AgBgNV%0ABAMMGUludGVsIFNHWCBQQ0sgUGxhdGZvcm0gQ0ExGjAYBgNVBAoMEUludGVsIENvcn
                        BvcmF0aW9u%0AMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAl
                        VTMB4XDTIwMDcy%0ANzA4NDczOFoXDTI3MDcyNzA4NDczOFowcDEiMCAGA1UEAwwZSW50ZWwgU0
                        dYIFBDSyBDZXJ0aWZp%0AY2F0ZTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNVBA
                        cMC1NhbnRhIENsYXJhMQsw%0ACQYDVQQIDAJDQTELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBg
                        gqhkjOPQMBBwNCAAQgWNUqMBKh%0Alrouhd5SiIBmTo8N2xPyhz215ho9SqCv00Us%2B6EcxpfH
                        Xp%2BYAAATDNVqlECXoSIxnOK4RsbY0S%2FL%0Ao4IDCzCCAwcwHwYDVR0jBBgwFoAU7bmCA3Tz
                        blbsRZSTub7BGnDEPbQwYgYDVR0fBFswWTBXoFWg%0AU4ZRaHR0cHM6Ly9wcmUxMy1ncmVlbi1w
                        Y3Muc2d4bnAuYWRzZGNzcC5jb20vc2d4L2NlcnRpZmlj%0AYXRpb24vdjEvcGNrY3JsP2NhPXBs
                        YXRmb3JtMB0GA1UdDgQWBBTbgGt0tP%2BaSI89ptnNDwof4bHa%0ASzAOBgNVHQ8BAf8EBAMCBs
                        AwDAYDVR0TAQH%2FBAIwADCCAkEGCSqGSIb4TQENAQSCAjIwggIuMB4G%0ACiqGSIb4TQENAQEE
                        EK4HEak9TrzqF3358MLSuggwggFrBgoqhkiG%2BE0BDQECMIIBWzAQBgsqhkiG%0A%2BE0BDQEC
                        AQIBADARBgsqhkiG%2BE0BDQECAgICAPAwEAYLKoZIhvhNAQ0BAgMCAXswEAYLKoZIhvhN%0AAQ
                        0BAgQCAVowEAYLKoZIhvhNAQ0BAgUCAXUwEQYLKoZIhvhNAQ0BAgYCAgDtMBEGCyqGSIb4TQEN%
                        0AAQIHAgIAiDAQBgsqhkiG%2BE0BDQECCAIBBjARBgsqhkiG%2BE0BDQECCQICAMQwEAYLKoZIh
                        vhNAQ0B%0AAgoCAWowEAYLKoZIhvhNAQ0BAgsCARwwEAYLKoZIhvhNAQ0BAgwCAXMwEAYLKoZIh
                        vhNAQ0BAg0C%0AAVIwEQYLKoZIhvhNAQ0BAg4CAgCdMBEGCyqGSIb4TQENAQIPAgIAljARBgsqh
                        kiG%2BE0BDQECEAIC%0AAJswEQYLKoZIhvhNAQ0BAhECAkztMB8GCyqGSIb4TQENAQISBBAA8Ht
                        ade2IBsRqHHNSnZabMBAG%0ACiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBo%2F8CgIAA
                        DAPBgoqhkiG%2BE0BDQEFCgEBMB4G%0ACiqGSIb4TQENAQYEEDhymiRlB1pOAOALuVr4fOswRAY
                        KKoZIhvhNAQ0BBzA2MBAGCyqGSIb4TQEN%0AAQcBAQH%2FMBAGCyqGSIb4TQENAQcCAQH%2FMBA
                        GCyqGSIb4TQENAQcDAQH%2FMAoGCCqGSM49BAMCA0gA%0AMEUCIQCYzJBFtntwahPzxlDyi1HvP
                        SNYQM%2F8nT4FedqhSyCzNAIgNCHbVVscxqxLsMeaDhT%2Bsjki%0AT57%2BUJFdNYTUSou15ks
                        %3D%0A
                        -----END%20CERTIFICATE-----
                        
Example Response
[
   {
	  "tcb":{
		 "sgxtcbcomp01svn":0,
		 "sgxtcbcomp02svn":0,
		 "sgxtcbcomp03svn":0,
		 "sgxtcbcomp04svn":0,
		 "sgxtcbcomp05svn":0,
		 "sgxtcbcomp06svn":0,
		 "sgxtcbcomp07svn":0,
		 "sgxtcbcomp08svn":0,
		 "sgxtcbcomp09svn":0,
		 "sgxtcbcomp10svn":0,
		 "sgxtcbcomp11svn":0,
		 "sgxtcbcomp12svn":0,
		 "sgxtcbcomp13svn":0,
		 "sgxtcbcomp14svn":0,
		 "sgxtcbcomp15svn":0,
		 "sgxtcbcomp16svn":0,
		 "pcesvn":0
	  },
	  "tcbm":"000000000000000000000000000000000000",
	  "cert":"-----BEGIN%20CERTIFICATE-----%0A...%3D%3D%0A-----END%20CERTIFICATE-----"
   }
]
                            
Status Codes
Code Model Headers Description
200 PckCerts

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain (String) - Issuer Certificate chain for SGX PCK Certificates. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

SGX-FMSPC (String) - Hex-encoded string representation of FMSPC (6 bytes).

SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:

  • “processor” indicates a certificate issued by Intel SGX Processor CA.
  • “platform” indicates a certificate issued by Intel SGX Platform CA.

Operation successful.
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

No PCK Certificate for provided {ppid} and {pceid} cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Revocation List V3

Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA or Platform CA.

GET https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl

Request

Name Type Request Type Required Pattern Description
ca String Query True Enum: processor,platform Identifier of the CA that issued the requested CRL Allowed value are “processor”, "platform" indicates CRL issued by Intel SGX Processor CA or Platform CA
encoding String Query False Enum: pem,der Optional identifier of the encoding for the requested CRL. If the perameter is not provided, PEM encoding is assumed
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca={}&encoding={}" 

Response

Model

PckCrl (X-PEM-FILE, PKIX-CRL) - PEM or DER-encoded representation of SGX Platform CA CRL or SGX Processor CA CRL in case of success (200 HTTP status code).

Example Response
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
                            
Status Codes
Code Model Headers Description
200 PckCrl

Content-Type (String) - The value depends on the encoding of CRL:

  • PEM: “application/x-pem-file”
  • DER: “application/pkix-crl”

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-CRL-Issuer-Chain (String) - Issuer Certificate chain for SGX PCK CRL. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

Operation successful.
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get TCB Info V3

Retrieve SGX TCB information for given FMSPC

Determining the status of a TCB level for a given platform needs to be done using TCB information according to the following algorithm:

  1. Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
  2. Retrieve TCB Info matching the FMSPC value.
  3. Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
    1. Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values in the TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list.
    2. Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, read status assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
  4. If no TCB level matches your SGX PCK Certificate, your TCB Level is not supported.

GET https://api.trustedservices.intel.com/sgx/certification/v3/tcb

Request

Name Type Request Type Required Pattern Description
fmspc String Query True ^[0-9a-fA-F]{12}$ Base16-encoded FMSPC value (6 bytes, byte array)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/tcb?fmspc={}" 

Response

Model

TcbInfoV2 (JSON) - SGX TCB Info encoded as JSON string in case of success (200 HTTP status code)

TcbInfoV2:
	type: object
	description: >-
		SGX TCB Info encoded as JSON string in case of success (200 HTTP
		status code)
	properties:
		tcbInfo:
			type: object
			properties:
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the TCB information
						was created. The time shall be in UTC and the
						encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next TCB
						information will be issued. The time shall be in UTC
						and the encoding shall be compliant to ISO 8601
						standard (YYYY-MM-DDThh:mm:ssZ)
				fmspc:
					type: string
					pattern: ^[0-9a-fA-F]{12}$
					example: '000000000000'
					description: >-
						Base 16-encoded string representation of FMSPC
						(Family-Model-Stepping-Platform-CustomSKU)
				pceId:
					type: string
					pattern: ^[0-9a-fA-F]{4}$
					example: '0000'
					description: Base 16-encoded string representation of PCE identifier
				tcbType:
					type: integer
					example: 0
					description: >-
						Type of TCB level composition that determines TCB
						level comparison logic
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				tcbLevels:
					type: array
					description: >-
						Sorted list of supported TCB levels for given FMSPC
						encoded as a JSON array of TCB level objects
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									pcesvn:
										type: integer
										example: 0
										minimum: 0
										maximum: 65535
									sgxtcbcomp01svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp02svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp03svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp04svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp05svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp06svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp07svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp08svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp09svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp10svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp11svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp12svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp13svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp14svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp15svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp16svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were originally published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								enum:
									- UpToDate
									- SWHardeningNeeded
									- ConfigurationNeeded
									- ConfigurationAndSWHardeningNeeded
									- OutOfDate
									- OutOfDateConfigurationNeeded
									- Revoked
								description: >-
									TCB level status. One of the following values:

									"UpToDate" - TCB level of the SGX platform is up-to-date.

									"SWHardeningNeeded" - TCB level of the SGX platform
									is up-to-date but due to certain issues affecting the
									platform, additional SW Hardening in the attesting
									SGX enclaves may be needed.

									"ConfigurationNeeded" - TCB level of the SGX platform
									is up-to-date but additional configuration of SGX
									platform may be needed.

									"ConfigurationAndSWHardeningNeeded" - TCB level of the
									SGX platform is up-to-date but additional configuration
									for the platform and SW Hardening in the attesting SGX
									enclaves may be needed.

									"OutOfDate" - TCB level of SGX platform is outdated.

									"OutOfDateConfigurationNeeded" - TCB level of SGX
									platform is outdated and additional configuration
									of SGX platform may be needed.

									"Revoked" - TCB level of SGX platform is revoked.
									The platform is not trustworthy.
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: >-
				Base 16-encoded string representation of signature calculated over tcbInfo
				body without whitespaces using TCB Signing Key
				i.e:
				{"version":2,"issueDate":"2019-07-30T12:00:00Z","nextUpdate":"2019-08-30T12:00:00Z",...}
                            
Example Response
{
   "tcbInfo":{
	  "version":2,
	  "issueDate":"2019-07-30T12:00:00Z",
	  "nextUpdate":"2019-08-30T12:00:00Z",
	  "fmspc":"000000000000",
	  "pceId":"0000",
	  "tcbType": 0,
	  "tcbEvaluationDataNumber": 2,
	  "tcbLevels":[
		 {
			"tcb":{
			   "sgxtcbcomp01svn":0,
			   "sgxtcbcomp02svn":0,
			   "sgxtcbcomp03svn":0,
			   "sgxtcbcomp04svn":0,
			   "sgxtcbcomp05svn":0,
			   "sgxtcbcomp06svn":0,
			   "sgxtcbcomp07svn":0,
			   "sgxtcbcomp08svn":0,
			   "sgxtcbcomp09svn":0,
			   "sgxtcbcomp10svn":0,
			   "sgxtcbcomp11svn":0,
			   "sgxtcbcomp12svn":0,
			   "sgxtcbcomp13svn":0,
			   "sgxtcbcomp14svn":0,
			   "sgxtcbcomp15svn":0,
			   "sgxtcbcomp16svn":0,
			   "pcesvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		 }
	  ]
   },
   "signature":"e45785756a06abfabb2eb6481c3b67c8a0729142e10e06e6415948a88e2f2e773bb2ff9f513ec32e4c5afb15883ab653393f8082f69b69ba19a2a21e3eefee7c"
}
                            
Status Codes
Code Model Headers Description
200 TcbInfoV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-TCB-Info-Issuer-Chain (String) - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate. Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

TCB information for provided {fmspc} cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Quoting Enclave Identity V3

Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Quoting Enclave issued by Intel requires following steps:

  1. Retrieve Quoting Enclave Identity from PCS and verify that it is a valid structure issued by Intel.
  2. Perform the following comparison of SGX Enclave Report against the retrieved QE Identity:
    1. Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in QE Identity.
    2. Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in QE Identity.
    3. Apply miscselectMask (binary mask) from QE Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in QE Identity.
    4. Apply attributesMask (binary mask) from QE Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in QE Identity.
  3. If any of the checks above fail, the identity of the enclave does not match QE Identity published by Intel.
  4. Determine a TCB status of the Quoting Enclave:
    1. Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in QE Identity structure.
    2. Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
    3. If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.

GET https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity

Request

Name Type Request Type Required Pattern Description
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qe/identity" 

Response

Model

QEIdentityV2 (JSON) - QE Identity data structure encoded as JSON string in case of success (200 HTTP status code)

QEIdentityV2:
	type: object
	description: >-
		QE Identity data structure encoded as JSON string in case of success
		(200 HTTP status code)
	properties:
		enclaveIdentity:
			type: object
			properties:
				id:
					type: string
					description: Identifier of the SGX Enclave issued by Intel. Supported values are QE and QVE
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the QE Identity information
						was created. The time shall be in UTC and the encoding shall
						be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next QE
						identity information will be issued. The time shall be in
						UTC and the encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				miscselect:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
				miscselectMask:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
				attributes:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
				attributesMask:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
				mrsigner:
					type: string
					pattern: ^[0-9a-fA-F]{64}$
					example: '0000000000000000000000000000000000000000000000000000000000000000'
					description: Base 16-encoded string representing mrsigner hash.
				isvprodid:
					type: integer
					example: 0
					maximum: 65535
					minimum: 0
					description: Enclave Product ID.
				tcbLevels:
					type: array
					description: >-
						Sorted list of supported Enclave TCB levels for given
						QE encoded as a JSON array of Enclave TCB level objects.
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									isvnsvn:
										description: SGX Enclave’s ISV SVN
										type: integer
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were originally published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								enum:
									- UpToDate
									- OutOfDate
									- Revoked
								description: >-
									TCB level status. One of the following values:

									"UpToDate" - TCB level of the SGX platform is up-to-date.

									"OutOfDate" - TCB level of SGX platform is outdated.

									"Revoked" - TCB level of SGX platform is revoked.
									The platform is not trustworthy.
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: >-
				Hex-encoded string representation of a signature calculated
				over qeIdentity body (without whitespaces) using TCB Info Signing Key.
                            
Example Response
{
	"enclaveIdentity":{
		"id":"QE"
		"version":2,
		"issueDate":"2018-08-30T11:03:32Z",
		"nextUpdate":"2018-09-30T11:03:32Z",
		"tcbEvaluationDataNumber":2,
		"miscselect":"00000000",
		"miscselectMask":"00000000",
		"attributes":"00000000000000000000000000000000",
		"attributesMask":"00000000000000000000000000000000",
		"mrsigner":"0000000000000000000000000000000000000000000000000000000000000000",
		"isvprodid":0,
		"tcbLevels": [
		  {
			"tcb": {
			  "isvsvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		  }
		]
	},
	"signature":"e1e6620c643623fdbb757082b78c2ba14331adf3b9181e798d9a312e0e2cd2b5ee8de438efa7eacf035209f50869f30c8d1727e1f42f607cc97ca81b329baf2e"
}
                            
Status Codes
Code Model Headers Description
200 QEIdentityV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-Enclave-Identity-Issuer-Chain (String) - URL encoded issuer chain for SGX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

QE Identity information cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Quote Verification Enclave Identity V3

Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Quote Verification Enclave issued by Intel requires following steps:

  1. Retrieve Quote Verification Enclave Identity from PCS and verify that it is a valid structure issued by Intel.
  2. Perform the following comparison of SGX Enclave Report against the retrieved QVE Identity:
    1. Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in QVE Identity.
    2. Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in QVE Identity.
    3. Apply miscselectMask (binary mask) from QVE Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in QVE Identity.
    4. Apply attributesMask (binary mask) from QVE Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in QVE Identity.
  3. If any of the checks above fail, the identity of the enclave does not match QVE Identity published by Intel.
  4. Determine a TCB status of the Quote Verification Enclave:
    1. Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in QVE Identity structure.
    2. Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
    3. If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.

GET https://api.trustedservices.intel.com/sgx/certification/v3/qve/identity

Request

No parameters

Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v3/qve/identity" 

Response

Model

QVEIdentityV2 (JSON) - QVE Identity data structure encoded as JSON string in case of success (200 HTTP status code)

QVEIdentityV2:
	type: object
	description: QVE Identity data structure encoded as JSON string in case of success
		(200 HTTP status code)
	properties:
		enclaveIdentity:
			type: object
			properties:
				id:
					type: string
					description: Identifier of the SGX Enclave issued by Intel. Supported values are QE and QVE
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the QVE Identity information
						was created. The time shall be in UTC and the encoding shall
						be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next QVE
						identity information will be issued. The time shall be in
						UTC and the encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				miscselect:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
				miscselectMask:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
				attributes:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
				attributesMask:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
				mrsigner:
					type: string
					pattern: ^[0-9a-fA-F]{64}$
					example: '0000000000000000000000000000000000000000000000000000000000000000'
					description: Base 16-encoded string representing mrsigner hash.
				isvprodid:
					type: integer
					example: 0
					minimum: 0
					maximum: 65535
					description: Enclave Product ID.
				tcbLevels:
					description: >-
						Sorted list of supported Enclave TCB levels for given
						QVE encoded as a JSON array of Enclave TCB level objects.
					type: array
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									isvnsvn:
										description: SGX Enclave’s ISV SVN
										type: integer
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were originally published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								enum:
									- UpToDate
									- OutOfDate
									- Revoked
								description: >-
									TCB level status. One of the following values:

									"UpToDate" - TCB level of the SGX platform is up-to-date.

									"OutOfDate" - TCB level of SGX platform is outdated.

									"Revoked" - TCB level of SGX platform is revoked.
									The platform is not trustworthy.
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: Hex-encoded string representation of a signature calculated
				over qeIdentity body (without whitespaces) using TCB Info Signing Key.
                            
Example Response
{
	"enclaveIdentity":{
		"id":"QVE"
		"version":2,
		"issueDate":"2018-08-30T11:03:32Z",
		"nextUpdate":"2018-08-30T11:03:32Z",
		"tcbEvaluationDataNumber":2,
		"miscselect":"00000000",
		"miscselectMask":"00000000",
		"attributes":"00000000000000000000000000000000",
		"attributesMask":"00000000000000000000000000000000",
		"mrsigner":"0000000000000000000000000000000000000000000000000000000000000000",
		"isvprodid":0,
		"tcbLevels": [
		  {
			"tcb": {
			  "isvsvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		  }
		]
	},
	"signature":"375eb0721810ab4029968f2ccadec6ebf2d96ac8d818732b4e254980bf2201e03afc560cd8d52f3d45c524b4dfe0e97337edafb9d299ab78960a523d8b5bc90d"
}
                            
Status Codes
Code Model Headers Description
200 QVEIdentityV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-Enclave-Identity-Issuer-Chain (String) - URL encoded issuer chain for SGX QVE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Note: This header contains chain of certificates with CRL Distribution Point URL pointing to DER-encoded CRL.

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

QVE Identity information cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

PCK Certificate and CRL Specification

This document specifies the hierarchy and format of X.509 v3 certificates and X.509 v2 Certificate Revocation Lists (CRLs) issued by Intel for Provisioning Certification Keys.