/tdx-workload-attestation

Library for attesting VM workloads inside of an Intel TDX environment​

Primary LanguageRustApache License 2.0Apache-2.0

TDX Workload Attestation

GitHub License Crates.io Documentation OpenSSF Scorecard

A Rust library for generating attestations about virtual machine (VM) workloads using Intel Trust Domain Extensions (Intel TDX).

What is attestation?

The purpose of this library is to serve as a building block for supply chain integrity of TDX workloads. Accordingly, "attestation" in this library refers to an authenticated claim about any component of the TDX workload, not to be confused with remote attestation from the trusted computing space.

For more information about software attestations, we refer you to the in-toto Attestation Framework.

Quickstart

This guide assumes you are running within an enlightened Ubuntu VM on a machine with support for Intel TDX 1.5 or above.

Pre-requisites

Install a Rust toolchain (1.85 or later) (see https://www.rust-lang.org/tools/install)

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Then, install required libraries

sudo apt install libssl-dev protobuf-compiler

Supported Environments

Build tdx-workload-attestation

For a default build within an Ubuntu TDX guest, run:

cargo build

To enable support for GCP host verification, build with:

cargo build --features host-gcp-tdx

The necessary root certificates are downloaded during this build.

Use the library

To import the TDX workload attestation library into your project, add it to your Cargo.toml:

[dependencies]
tdx_workload_attestation = "0.1.0"

To disable TDX features, set default-features = false. To enable additional GCP-specific VM verification, add the host-gcp-tdx feature.

Test the library

To test and showcase how the library can be used, we provide a simple tdx-attest CLI tool with the following commands.

Get TDX platform info

Print the platform's name:

tdx-attest platform name

If running on a TDX 1.5 guest, the output should be tdx-linux.

Check if TDX is available on the platform:

tdx-attest platform is-tdx-available

Obtain TDX attestations

Print the VM's current Intel TDX attestation report:

sudo tdx-attest quote

To only print out the launch measurement (MRTD), run the quote command with the -m flag.

You may also save the attestation report to a local file with the -s and -o <filename> options.

Disclaimer

This library is experimental, and should not be used in a production environment.