An easy-to-use command line interface for attesting TDX TEE(TD) with Intel Trust Authority. The CLI will be installed and run inside the TD.
The default TDX CLI has dependency on Intel SGX DCAP. Install TDX Attestation library dev package from Intel SGX DCAP. Instructions follows.
Install the Debian package for libtdx-attest-dev following these steps:
- Add the following repository to your sources:
- For Ubuntu* 20.04:
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
- For Ubuntu* 22.04:
echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
- For Ubuntu* 20.04:
- Get the Debian repo public key and add it to the list of trusted keys that are used by apt to authenticate packages:
- For Ubuntu* 20.04:
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add - For Ubuntu* 22.04:
wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
- For Ubuntu* 20.04:
- Update apt and install the libtdx-attest-dev package:
sudo apt-get update sudo apt-get install libtdx-attest-dev
Install the RPM package for libtdx-attest-devel following these steps:
- Find RPM packages for DCAP libraries and services, which are currently provided in a single TAR archive at
https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/
- Download the file
sgx_rpm_local_repo.tgzto a selected folder, for example/opt/intelcd /opt/intel sudo wget https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/sgx_rpm_local_repo.tgz
- Verify the downloaded repo file with the SHA value in this file:
https://download.01.org/intel-sgx/latest/dcap-latest/linux/SHA256SUM_dcap_.cfg
sha256sum sgx_rpm_local_repo.tgz
- Expand the archive:
sudo tar xvf sgx_rpm_local_repo.tgz
- Add the RPM local repository to your local repository list
sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO
- Install all the latest packages using
sudo dnf --nogpgcheck install <package names>sudo dnf --nogpgcheck install libtdx-attest-devel
Use go1.19 or newer. Follow https://go.dev/doc/install for installation of Go.
Compile Intel Trust Authority TDX CLI. This will generate trustauthority-cli binary in current directory:
cd tdx-cli/
make cliTo run the tests, run cd tdx-cli && make test-coverage
See the example test in tdx-cli/token_test.go for an example of a test.
trustauthority-cli --helpMore info about a specific command can be found using
trustauthority-cli <command> --helptrustauthority-cli create-key-pair --pub-path <public key file path>token command requires Intel Trust Authority configuration to be passed in json format
{
"trustauthority_api_url": "<trustauthority attestation api url>",
"trustauthority_api_key": "<trustauthority attestation api key>"
}Save this data in config.json file and invoke token command
trustauthority-cli token --config config.json --user-data <base64 encoded userdata> --policy-ids <comma separated trustauthority attestation policy ids>OR
trustauthority-cli token --config config.json --pub-path <public key file path> --policy-ids <comma separated trustauthority attestation policy ids>trustauthority-cli quote --nonce <base64 encoded nonce> --user-data <base64 encoded userdata>trustauthority-cli decrypt --key-path <private key file path> --in <base64 encoded encrypted blob>OR
trustauthority-cli decrypt --key <base64 encoded private key> --in <base64 encoded encrypted blob>verify command requires Intel Trust Authority URL to be passed in json format
{
"trustauthority_url": "<trustauthority url>"
}Save this data in config.json file and invoke verify command
trustauthority-cli verify --config config.json --token <attestation token in JWT format>This source is distributed under the BSD-style license found in the LICENSE file.