Intel® SGX and Intel® TDX Provisioning Certification Service for ECDSA Attestation
Download the Provisioning Certification Root CA Certificate for API v4 here:
DER
PEM
(fingerprint: 53f76ef60c30d6e068c8e033530fb886d3150f36)
Get/Post PCK Certificate V4
The Get PCK Certificate API allows requesting a single PCK certificate by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only) and a set of SVNs.
Get PCK Certificate using PPID and SVNs is available for:
- single-socket platforms - using this API does not require any prerequisites.
- multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.
Get PCK Certificate using Platform Manifest and SVNs is available for:
- multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing a PCK Certificate, Provisioning Certification Service uses a PCK public key derived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.
Setting Key Caching Policy for multi-socket platforms:
- if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
- if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.
NOTICE: When you use that single PCK Certificate, the PCS will return the PCK Certificate that represents the TCB level with the highest security posture based on the SGX patching level applied to the platform. The platform's patching level is represented by the following inputs: CPUSVN and PCE ISVSVN.
GEThttps://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcert
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
| encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
| cpusvn | String | Query | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
| pcesvn | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCESVN value (2 bytes, little endian) |
| pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
POST https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcert
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
| platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
| cpusvn | String | Body Field | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
| pcesvn | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCESVN value (2 bytes, little endian) |
| pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{
"platformManifest":"...",
"cpusvn":"...",
"pcesvn":"...",
"pceid":"..."
}
Example Request
curl -v -X POST --data '{"platformManifest":"...", "cpusvn":"...", "pcesvn":"...", "pceid":"..."}' "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcert" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Model
PckCert (X-PEM-FILE) - PEM-encoded representation of SGX PCK Certificate in case of success (200 HTTP status code)
Example Response
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Status Codes
| Code | Model | Headers | Description | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 200 | PckCert |
Content-Type - application/x-pem-file Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-Certificate-Issuer-Chain - URL-encoded Issuer Certificate chain for SGX PCK Certificate in PEM format. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). SGX-TCBm - Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes). SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:
Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful | ||||||||||||||
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:
|
Invalid request parameters. | |||||||||||||||
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |||||||||||||||
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
PCK Certificate for provided {ppid}, {cpusvn}, {pcesvn} and {pceid} cannot be found. | |||||||||||||||
| 429 |
Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Too many requests, limit has been reached. | |||||||||||||||
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |||||||||||||||
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get PCK Certificates V4
The Get PCK Certificates API allows requesting PCK certificates for all configured TCB levels for given platform by specifying the platform's PPID (single-socket and multi-socket platforms) or Platform Manifest (multi-socket platforms only).
Get PCK Certificates using PPID is available for:
- single-socket platforms - using this API does not require any prerequisites.
- multi-socket platforms - using this API requires previous Platform Manifest registration using Register Platform API exposed by Registration Service. Using this flow requires that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on stored platform root keys. Keys Caching Policy for a platform using this API must be set to 'true'.
Get PCK Certificates using Platform Manifest is available for:
- multi-socket platforms - using this API does not require previous Platform Manifest registration using Registration Service. Using this flow does not require that platform root keys for a given platform are persistently stored in the backend (Registration Service). While issuing PCK Certificates, Provisioning Certification Service uses PCK public keys derrived by Registration Service based on platform root keys in the provided Platform Manifest. Depending on the Keys Caching Policy set for a given platform, platform root keys from the Platform Manifest will be either stored or not stored in the backend.
Setting Key Caching Policy for multi-socket platforms:
- if you register Platform Manifest directly via Register Platform API exposed by Registration Service first (so called direct registration), Key Caching Policy will be set to always store platform root keys for given platform. The keys will be stored when Platform Manifest is sent to the backend (either via Register Platform API or via Get PCK Certificate(s) using Platform Manifest). The fact of storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'true'.
- if you register Platform Manifest indirectly via Get PCK Certificate(s) using Platform Manifest API exposed by Provisioning Certification Service first (so called indirect registration), Key Caching Policy will be set to never store platform root keys for given platform. Platform root keys are discarded immediately after the PCK key is derived. However, the standard platform metadata is stored. In this case, Register Platform API exposed by Registration Service cannot be used anymore. The fact of NOT storing keys in the backend is reflected by CachedKeys flag in PCK Certificates set to 'false'.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on encrypted PPID and PCE-ID (supports both single and multi-package platforms).
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
| encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
| pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts?encrypted_ppid={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| PPID-Encryption-Key | String | Header | False | Type of key used to encrypt PPID. If not specified, "RSA-3072" will be used as default. Currently supported values: "RSA-3072" | |
| encrypted_ppid | String | Query | True | ^[0-9a-fA-F]{768}$ | Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array) |
| pceid | String | Query | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
| cpusvn | String | Query | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config?encrypted_ppid={}&pceid={}&cpusvn={}" -H "Ocp-Apim-Subscription-Key: {subscription key}"
Response
Response description can be found here.
POST https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels based on Platform Manifest and PCE-ID (supports multi-package platforms only).
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
| platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
| pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{
"platformManifest":"...",
"pceid":"..."
}
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"..."}' "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Response description can be found here.
POST https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config
Retrieve X.509 Provisioning Certification Key (PCK) certificates for SGX-enabled platform with a specific configuration reflected in a raw CPUSVN retrieved from the platform (supports multi-package platforms only).
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| Ocp-Apim-Subscription-Key | String | Header | False | Subscription key which provides access to this API. It can be found in your Profile. | |
| Content-Type | String | Header | True | Content Type key which is corresponding to body format application/json. | |
| platformManifest | String | Body Field | True | ^[0-9a-fA-F]{16862,112884}$ | Base 16-encoded representation of Platform Manifest. |
| cpusvn | String | Body Field | True | ^[0-9a-fA-F]{32}$ | Base16-encoded CPUSVN value (16 bytes, byte array) |
| pceid | String | Body Field | True | ^[0-9a-fA-F]{4}$ | Base16-encoded PCE-ID value (2 bytes, little endian) |
Body
{
"platformManifest":"...",
"cpusvn":"...",
"pceid":"..."
}
Example Request
curl -v -X POST --data '{"platformManifest":"...", "pceid":"...", "cpusvn":"..."}' "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcerts/config" -H "Ocp-Apim-Subscription-Key: {subscription key}" -H "Content-Type: application/json"
Response
Model
PckCerts (JSON) - Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code)
PckCerts:
type: array
description: >-
Array of data structures consisting of tcb, tcbm and certificate
encoded as JSON string in case of success (200 HTTP status code)
items:
type: object
properties:
tcb:
type: object
properties:
sgxtcbcomp01svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp02svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp03svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp04svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp05svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp06svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp07svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp08svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp09svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp10svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp11svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp12svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp13svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp14svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp15svn:
type: integer
example: 0
minimum: 0
maximum: 255
sgxtcbcomp16svn:
type: integer
example: 0
minimum: 0
maximum: 255
pcesvn:
type: integer
example: 0
minimum: 0
maximum: 65535
tcbm:
type: string
description: >-
Hex-encoded string representation of concatenation of
CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in
corresponding SGX PCK Certificate
pattern: '^[0-9a-fA-F]{36}$'
example: '000000000000000000000000000000000000'
cert:
type: string
description: >-
URL-encoded SGX PCK Certificate in PEM format for given TCB
or "Not available" string if the certificate is not available for given TCB.
The certificate may not be available for given TCB
in case an updated Platform Manifest for a multi-package platform
has not been provided to the backend after a TCB recovery
(either via direct or indirect registration).
example: >-
-----BEGIN%20CERTIFICATE-----
%0AMIIE8DCCBJagAwIBAgIVAIx6%2FEOyg7ZDHYYaL6Z5iqyMdMpjMAoGCCqGSM49BAMCMHAxIj
AgBgNV%0ABAMMGUludGVsIFNHWCBQQ0sgUGxhdGZvcm0gQ0ExGjAYBgNVBAoMEUludGVsIENvcn
BvcmF0aW9u%0AMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAl
VTMB4XDTIwMDcy%0ANzA4NDczOFoXDTI3MDcyNzA4NDczOFowcDEiMCAGA1UEAwwZSW50ZWwgU0
dYIFBDSyBDZXJ0aWZp%0AY2F0ZTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNVBA
cMC1NhbnRhIENsYXJhMQsw%0ACQYDVQQIDAJDQTELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBg
gqhkjOPQMBBwNCAAQgWNUqMBKh%0Alrouhd5SiIBmTo8N2xPyhz215ho9SqCv00Us%2B6EcxpfH
Xp%2BYAAATDNVqlECXoSIxnOK4RsbY0S%2FL%0Ao4IDCzCCAwcwHwYDVR0jBBgwFoAU7bmCA3Tz
blbsRZSTub7BGnDEPbQwYgYDVR0fBFswWTBXoFWg%0AU4ZRaHR0cHM6Ly9wcmUxMy1ncmVlbi1w
Y3Muc2d4bnAuYWRzZGNzcC5jb20vc2d4L2NlcnRpZmlj%0AYXRpb24vdjEvcGNrY3JsP2NhPXBs
YXRmb3JtMB0GA1UdDgQWBBTbgGt0tP%2BaSI89ptnNDwof4bHa%0ASzAOBgNVHQ8BAf8EBAMCBs
AwDAYDVR0TAQH%2FBAIwADCCAkEGCSqGSIb4TQENAQSCAjIwggIuMB4G%0ACiqGSIb4TQENAQEE
EK4HEak9TrzqF3358MLSuggwggFrBgoqhkiG%2BE0BDQECMIIBWzAQBgsqhkiG%0A%2BE0BDQEC
AQIBADARBgsqhkiG%2BE0BDQECAgICAPAwEAYLKoZIhvhNAQ0BAgMCAXswEAYLKoZIhvhN%0AAQ
0BAgQCAVowEAYLKoZIhvhNAQ0BAgUCAXUwEQYLKoZIhvhNAQ0BAgYCAgDtMBEGCyqGSIb4TQEN%
0AAQIHAgIAiDAQBgsqhkiG%2BE0BDQECCAIBBjARBgsqhkiG%2BE0BDQECCQICAMQwEAYLKoZIh
vhNAQ0B%0AAgoCAWowEAYLKoZIhvhNAQ0BAgsCARwwEAYLKoZIhvhNAQ0BAgwCAXMwEAYLKoZIh
vhNAQ0BAg0C%0AAVIwEQYLKoZIhvhNAQ0BAg4CAgCdMBEGCyqGSIb4TQENAQIPAgIAljARBgsqh
kiG%2BE0BDQECEAIC%0AAJswEQYLKoZIhvhNAQ0BAhECAkztMB8GCyqGSIb4TQENAQISBBAA8Ht
ade2IBsRqHHNSnZabMBAG%0ACiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBo%2F8CgIAA
DAPBgoqhkiG%2BE0BDQEFCgEBMB4G%0ACiqGSIb4TQENAQYEEDhymiRlB1pOAOALuVr4fOswRAY
KKoZIhvhNAQ0BBzA2MBAGCyqGSIb4TQEN%0AAQcBAQH%2FMBAGCyqGSIb4TQENAQcCAQH%2FMBA
GCyqGSIb4TQENAQcDAQH%2FMAoGCCqGSM49BAMCA0gA%0AMEUCIQCYzJBFtntwahPzxlDyi1HvP
SNYQM%2F8nT4FedqhSyCzNAIgNCHbVVscxqxLsMeaDhT%2Bsjki%0AT57%2BUJFdNYTUSou15ks
%3D%0A
-----END%20CERTIFICATE-----
Example Response
[
{
"tcb":{
"sgxtcbcomp01svn":0,
"sgxtcbcomp02svn":0,
"sgxtcbcomp03svn":0,
"sgxtcbcomp04svn":0,
"sgxtcbcomp05svn":0,
"sgxtcbcomp06svn":0,
"sgxtcbcomp07svn":0,
"sgxtcbcomp08svn":0,
"sgxtcbcomp09svn":0,
"sgxtcbcomp10svn":0,
"sgxtcbcomp11svn":0,
"sgxtcbcomp12svn":0,
"sgxtcbcomp13svn":0,
"sgxtcbcomp14svn":0,
"sgxtcbcomp15svn":0,
"sgxtcbcomp16svn":0,
"pcesvn":0
},
"tcbm":"000000000000000000000000000000000000",
"cert":"-----BEGIN%20CERTIFICATE-----%0A...%3D%3D%0A-----END%20CERTIFICATE-----"
}
]
Status Codes
| Code | Model | Headers | Description | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 200 | PckCerts |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-Certificate-Issuer-Chain - Issuer Certificate chain for SGX PCK Certificates. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). SGX-FMSPC - Hex-encoded string representation of FMSPC (6 bytes). SGX-PCK-Certificate-CA-Type - Type of the SGX Intermediate CA that issued the requested SGX PCK Certificate. One of the following values:
Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful. | ||||||||||||||
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API Additional details about the error condition that occurred (in the form of specific error code and message) are returned to the client in the response headers: Error-Code and Error-Message (see the definition of response headers for details about the format). The table below defines all the error conditions that may occur:
|
Invalid request parameters. | |||||||||||||||
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |||||||||||||||
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
No PCK Certificate for provided {ppid} and {pceid} cannot be found. | |||||||||||||||
| 429 |
Retry-After - Non-negative decimal integer, indicating how long the user agent should wait before making a follow-up request (in seconds). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Too many requests, limit has been reached. | |||||||||||||||
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |||||||||||||||
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get Revocation List V4
Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA or Platform CA.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcrl
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| ca | String | Query | True | (processor|platform) | Identifier of the CA that issued the requested CRL. Allowed values:
|
| encoding | String | Query | False | (pem|der) | Optional identifier of the encoding for the requested CRL. If the parameter is not provided, PEM encoding is assumed. |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca={}&encoding={}"
Response
Model
PckCrl (X-PEM-FILE, PKIX-CRL) - PEM or DER-encoded representation of SGX Platform CA CRL or SGX Processor CA CRL in case of success (200 HTTP status code).
Example Response
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | PckCrl |
Content-Type - The value depends on the encoding of CRL:
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-PCK-CRL-Issuer-Chain - Issuer Certificate chain for SGX PCK CRL. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA, Platform CA). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful. |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get SGX TCB Info V4
Retrieve SGX TCB information for given FMSPC.
Determining the status of a SGX TCB level for a given platform needs to be done using SGX TCB information according to the following algorithm:
- Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
- Retrieve SGX TCB Info matching the FMSPC value.
-
Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
- Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
- Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, read status assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
- If no TCB level matches your SGX PCK Certificate, your TCB Level is not supported.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/tcb
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| fmspc | String | Query | True | ^[0-9a-fA-F]{12}$ | Base16-encoded FMSPC value (6 bytes, byte array) |
| update | String | Query | False | (early|standard) | Type of update to TCB Info If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc={}&update={}"
Example Response
"tcbInfo": {
"id": "SGX",
"version": 3,
"issueDate": "2022-04-13T09:38:17Z",
"nextUpdate": "2022-05-13T09:38:17Z",
"fmspc": "50806F000000",
"pceId": "0000",
"tcbType": 0,
"tcbEvaluationDataNumber": 12,
"tcbLevels": [
{
"tcb": {
"sgxtcbcomponents": [
{
"svn": 1,
"category": "BIOS",
"type": "Early Microcode Update"
},
{
"svn": 1,
"category": "OS/VMM",
"type": "SGX Late Microcode Update"
},
{
"svn": 2,
"category": "OS/VMM",
"type": "TXT SINIT"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 1,
"category": "BIOS"
},
{
"svn": 0
},
{
"svn": 2,
"category": "OS/VMM",
"type": "SEAMLDR ACM"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
],
"pcesvn": 11
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
},
{
"tcb": {
"sgxtcbcomponents": [
{
"svn": 1,
"category": "BIOS",
"type": "Early Microcode Update"
},
{
"svn": 1,
"category": "OS/VMM",
"type": "SGX Late Microcode Update"
},
{
"svn": 2,
"category": "OS/VMM",
"type": "TXT SINIT"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 1,
"category": "BIOS"
},
{
"svn": 0
},
{
"svn": 2,
"category": "OS/VMM",
"type": "SEAMLDR ACM"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
],
"pcesvn": 5
},
"tcbDate": "2018-01-04T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "e9de1198f5b8ce22c626ac4182b92a83ba61693f483a398dc5c2afed65d757cb35cefd7e284cb1f4fbdb9a6e74171fe72bf724050dde5e8d6d93d2339eea3cf2"
}
Response
Model - Appendix A: TCB Info V3
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | TcbInfoV3 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate. Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
TCB information for provided {fmspc} cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Get TDX TCB Info V4
Retrieve TDX TCB information for given FMSPC.
Determining the status of a TDX TCB level for a given platform needs to be done using TDX TCB information according to the following algorithm:
- Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
- Retrieve TDX TCB Info matching the FMSPC value.
-
Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
- Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values of SVNs in sgxtcbcomponents array of TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list. list.
- Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, go to 3.c, otherwise move to the next item on TCB Levels list.
- Compare SVNs in TEE TCB SVN array retrieved from TD Report in Quote (from index 0 to 15 if TEE TCB SVN at index 1 is set to 0, or from index 2 to 15 otherwise) with the corresponding values of SVNs in tdxtcbcomponents array of TCB Level. If all TEE TCB SVNs in the TD Report are greater or equal to the corresponding values in TCB Level, read tcbStatus assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
- If no TCB level matches your SGX PCK Certificate and TD Report, your TCB level is not supported.
- Perform additional TCB status evaluation for TDX module in case TEE TCB SVN at index 1 is greater or equal to 1, otherwise finish the comparison logic. In order to determine TCB status of TDX module, find a matching TDX Module Identity (in tdxModuleIdentities array of TCB Info) with its id set to "TDX_<version>" where <version> matches the value of TEE TCB SVN at index 1. If a matching TDX Module Identity cannot be found, go to step 6, otherwise, for the selected TDX Module Identity go over the sorted collection of TCB Levels starting from the first item on the list and compare its isvsvn value to the TEE TCB SVN at index 0. If TEE TCB SVN at index 0 is greater or equal to its value, read tcbStatus assigned to this TCB level, otherwise move to the next item on TCB levels list.
- If no TCB level matches, the TCB level of TDX Module is not supported.
GET https://validation.api.trustedservices.intel.com/tdx/certification/v4/tcb
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| fmspc | String | Query | True | ^[0-9a-fA-F]{12}$ | Base16-encoded FMSPC value (6 bytes, byte array) |
| update | String | Query | False | (early|standard) | Type of update to TCB Info If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/tdx/certification/v4/tcb?fmspc={}&update={}"
Example Response
{
"tcbInfo": {
"id": "TDX",
"version": 3,
"issueDate": "2022-04-13T09:37:45Z",
"nextUpdate": "2022-05-13T09:37:45Z",
"fmspc": "50806F000000",
"pceId": "0000",
"tcbType": 0,
"tcbEvaluationDataNumber": 12,
"tdxModule": {
"mrsigner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"attributes": "0000000000000000",
"attributesMask": "FFFFFFFFFFFFFFFF"
},
"tcbLevels": [
{
"tcb": {
"sgxtcbcomponents": [
{
"svn": 1,
"category": "BIOS",
"type": "Early Microcode Update"
},
{
"svn": 1,
"category": "OS/VMM",
"type": "SGX Late Microcode Update"
},
{
"svn": 2,
"category": "OS/VMM",
"type": "TXT SINIT"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 1,
"category": "BIOS"
},
{
"svn": 0
},
{
"svn": 2,
"category": "OS/VMM",
"type": "SEAMLDR ACM"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
],
"pcesvn": 11,
"tdxtcbcomponents": [
{
"svn": 2,
"category": "OS/VMM",
"type": "TDX Module"
},
{
"svn": 0
},
{
"svn": 1,
"category": "OS/VMM",
"type": "TDX Late Microcode Update"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
]
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
},
{
"tcb": {
"sgxtcbcomponents": [
{
"svn": 1,
"category": "BIOS",
"type": "Early Microcode Update"
},
{
"svn": 1,
"category": "OS/VMM",
"type": "SGX Late Microcode Update"
},
{
"svn": 2,
"category": "OS/VMM",
"type": "TXT SINIT"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 2,
"category": "BIOS"
},
{
"svn": 1,
"category": "BIOS"
},
{
"svn": 0
},
{
"svn": 2,
"category": "OS/VMM",
"type": "SEAMLDR ACM"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
],
"pcesvn": 5,
"tdxtcbcomponents": [
{
"svn": 2,
"category": "OS/VMM",
"type": "TDX Module"
},
{
"svn": 0
},
{
"svn": 1,
"category": "OS/VMM",
"type": "TDX Late Microcode Update"
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
},
{
"svn": 0
}
]
},
"tcbDate": "2018-01-04T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "567769750d895be97ef0cb1eb951f1cf78bf0dfbacd8ad50ad3b1a46623cd4827daf69edcb3cbf283c1ab177bf417a4353a0346ba956b38f4816ff739fe935e6"
}
Response
Model - Appendix A: TCB Info V3
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | TcbInfoV3 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) TCB-Info-Issuer-Chain - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate. Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
TCB information for provided {fmspc} cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Enclave Identity V4
Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Enclave Identity issued by Intel requires following steps:
- Retrieve Enclave Identity(SGX QE, TDX QE, QVE or QAE) from PCS and verify that it is a valid structure issued by Intel.
- Perform the following comparison of SGX Enclave Report against the retrieved Enclave Identity:
- Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in Enclave Identity.
- Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in Enclave Identity.
- Apply miscselectMask (binary mask) from Enclave Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in Enclave Identity.
- Apply attributesMask (binary mask) from Enclave Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in Enclave Identity.
- If any of the checks above fail, the identity of the enclave does not match Enclave Identity published by Intel.
-
Determine a TCB status of the Enclave:
- Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in Enclave Identity structure.
- Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
- If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/qe/identity
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| update | String | Query | False | (early|standard) | Type of update to QE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/qe/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QE Identity information cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{
"enclaveIdentity": {
"id": "QE",
"version": 2,
"issueDate": "2022-04-13T10:15:38Z",
"nextUpdate": "2022-05-13T10:15:38Z",
"tcbEvaluationDataNumber": 12,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "11000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
"isvprodid": 1,
"tcbLevels": [
{
"tcb": {
"isvsvn": 6
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
},
{
"tcb": {
"isvsvn": 5
},
"tcbDate": "2020-11-11T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"isvsvn": 4
},
"tcbDate": "2019-11-13T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"isvsvn": 2
},
"tcbDate": "2019-05-15T00:00:00Z",
"tcbStatus": "OutOfDate"
},
{
"tcb": {
"isvsvn": 1
},
"tcbDate": "2018-08-15T00:00:00Z",
"tcbStatus": "OutOfDate"
}
]
},
"signature": "225359b14e870bd81a9e92691cdf5af520883688ec326af0327047a8516e0329c0ba94e1fec24be74f99ca6e7cffb5b46332346edc72e7063096e01340253c06"
}
GET https://validation.api.trustedservices.intel.com/tdx/certification/v4/qe/identity
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| update | String | Query | False | (early|standard) | Type of update to QE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/tdx/certification/v4/qe/identity?update={}
Response
Model - Appendix B: Enclave Identity V2
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for TDX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QE Identity information cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{
"enclaveIdentity": {
"id": "TD_QE",
"version": 2,
"issueDate": "2022-04-13T09:37:47Z",
"nextUpdate": "2022-05-13T09:37:47Z",
"tcbEvaluationDataNumber": 12,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "11000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "DC9E2A7C6F948F17474E34A7FC43ED030F7C1563F1BABDDF6340C82E0E54A8C5",
"isvprodid": 2,
"tcbLevels": [
{
"tcb": {
"isvsvn": 3
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
}
]
},
"signature": "9d4d56c41e80cc44df5ec2ad52f309d8364b444f5b83efc48a0c1393afd11c288754ed77b63bce2a7c59c75ae2012606e1d926cf295f3d0b59e1848a8de36efd"
}
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/qve/identity
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| update | String | Query | False | (early|standard) | Type of update to QVE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/qve/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QVE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QVE Identity information cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{
"enclaveIdentity": {
"id": "QVE",
"version": 2,
"issueDate": "2022-04-13T09:37:47Z",
"nextUpdate": "2022-05-13T09:37:47Z",
"tcbEvaluationDataNumber": 12,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "01000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
"isvprodid": 2,
"tcbLevels": [
{
"tcb": {
"isvsvn": 3
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
}
]
},
"signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c"
}
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/qae/identity
Request
| Name | Type | Request Type | Required | Pattern | Description |
|---|---|---|---|---|---|
| update | String | Query | False | (early|standard) | Type of update to QAE Identity If not provided standard is assumed. (commonly the day of public disclosure of the items in scope**) (commonly 12 months after public disclosure of the items in scope**) |
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/qae/identity?update={}"
Response
Model - Appendix B: Enclave Identity V2
Status Codes
| Code | Model | Headers | Description |
|---|---|---|---|
| 200 | QEIdentityV2 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) SGX-Enclave-Identity-Issuer-Chain - URL encoded issuer chain for SGX QAE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>). Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. | |
| 401 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Failed to authenticate or authorize the request | |
| 404 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
QAE Identity information cannot be found. | |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred | |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
{
"enclaveIdentity": {
"id": "QAE",
"version": 2,
"issueDate": "2022-04-13T09:37:47Z",
"nextUpdate": "2022-05-13T09:37:47Z",
"tcbEvaluationDataNumber": 12,
"miscselect": "00000000",
"miscselectMask": "FFFFFFFF",
"attributes": "01000000000000000000000000000000",
"attributesMask": "FBFFFFFFFFFFFFFF0000000000000000",
"mrsigner": "8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF",
"isvprodid": 2,
"tcbLevels": [
{
"tcb": {
"isvsvn": 3
},
"tcbDate": "2021-11-10T00:00:00Z",
"tcbStatus": "UpToDate"
}
]
},
"signature": "c9ceffca9079dead55f3b6af405b1093404ec5766dde6f399e2d71485ebd87be9c9b34bcefd7fdba18a1af4610e97597fd4e66e588b1ebb67e890a9657576c2c"
}
Retrieve FMSPCs V4
Retrieve list of FMSPC values for SGX and TDX platforms supporting DCAP attestation.
GET https://validation.api.trustedservices.intel.com/sgx/certification/v4/fmspcs
Request
| Name | Type | Request Type | Required | Description |
|---|---|---|---|---|
| platform | String | Query | False |
Optional identifier of the platform types to query Allowed values:
|
Example Request
curl -v -X GET "https://validation.api.trustedservices.intel.com/sgx/certification/v4/fmspcs?platform={}
Response
Status Codes
| Code | Headers | Description |
|---|---|---|
| 200 |
Content-Type - application/json Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Operation successful |
| 400 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Invalid request parameters. |
| 500 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Internal server error occurred |
| 503 |
Request-ID - Randomly generated identifier for each request (for troubleshooting purposes) Warning - Optional header which contains warning message, for example information about deprecation of the API |
Server is currently unable to process the request |
Example Response
[
{
"fmspc": "AABBCCDD0000",
"platform": "E3"
},
{
"fmspc": "123456780000",
"platform": "E5"
},
{
"fmspc": "876543210000",
"platform": "client"
}
]
Appendix A: TCB Info V3
Response
Model
TcbInfoV3 (JSON) - SGX/TDX TCB Info encoded as JSON string in case of success (200 HTTP status code)
TcbInfoV3:
type: object
description: >-
SGX TCB Info encoded as JSON string in case of success (200 HTTP
status code)
properties:
tcbInfo:
type: object
properties:
id:
type: string
description: Identifier of the TCB Info issued by Intel. Supported values are SGX or TDX.
version:
type: integer
example: 2
description: Version of the structure
issueDate:
type: string
format: date-time
description: >-
Representation of date and time the TCB information
was created. The time shall be in UTC and the
encoding shall be compliant to ISO 8601 standard
(YYYY-MM-DDThh:mm:ssZ)
nextUpdate:
type: string
format: date-time
description: >-
Representation of date and time by which next TCB
information will be issued. The time shall be in UTC
and the encoding shall be compliant to ISO 8601
standard (YYYY-MM-DDThh:mm:ssZ)
fmspc:
type: string
pattern: ^[0-9a-fA-F]{12}$
example: '000000000000'
description: >-
Base 16-encoded string representation of FMSPC
(Family-Model-Stepping-Platform-CustomSKU)
pceId:
type: string
pattern: ^[0-9a-fA-F]{4}$
example: '0000'
description: Base 16-encoded string representation of PCE identifier
tcbType:
type: integer
example: 0
description: >-
Type of TCB level composition that determines TCB
level comparison logic
tcbEvaluationDataNumber:
type: integer
example: 2
description: >-
A monotonically increasing sequence number changed
when Intel updates the content of the TCB evaluation data
set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber
update is synchronized across TCB Info for all flavors of
SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE
Identity. This sequence number allows users to easily determine
when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes
another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current
TCB Recovery event number stored in the database).
tdxModule:
type: object
description: >-
This field is optional. It will be present only
in context of TDX TCB Info.
properties:
mrsigner:
type: string
pattern: ^[0-9a-fA-F]{96}$
example: '0000000000000000000000000000000000000000000000000000000000000000'
description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer.
attributes:
type: string
pattern: ^[0-9a-fA-F]{16}$
example: '0000000000000000'
description: Hex-encoded byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module.
attributesMask:
type: string
pattern: ^[0-9a-fA-F]{16}$
example: 'FFFFFFFFFFFFFFFF'
description: Hex-encoded byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform.
tdxModuleIdentities:
type: array
description: >-
This field is optional. It will be present only in context of TDX TCB Info when the platform supports more than one TDX SEAM Module.
items:
type: object
properties:
id:
type: string
description: Identifier of TDX Module
mrsigner:
type: string
pattern: ^[0-9a-fA-F]{96}$
example: '0000000000000000000000000000000000000000000000000000000000000000'
description: Base 16-encoded string representation of the measurement of a TDX SEAM module's signer.
attributes:
type: string
pattern: ^[0-9a-fA-F]{16}$
example: '0000000000000000'
description: Base 16-encoded string representation of the byte array (8 bytes) representing attributes "golden" value (upon applying mask) for TDX SEAM module.
attributesMask:
type: string
pattern: ^[0-9a-fA-F]{16}$
example: 'FFFFFFFFFFFFFFFF'
description: Base 16-encoded string representation of the byte array (8 bytes) representing mask to be applied to TDX SEAM module's attributes value retrieved from the platform.
tcbLevels:
type: array
description: >-
Sorted list of supported TCB levels for given TDX SEAM module encoded as a JSON array of TCB level objects.
items:
type: object
properties:
tcb:
type: object
properties:
isvnsvn:
description: TDX SEAM module's ISV SVN
type: integer
tcbDate:
type: string
format: date-time
description: >-
If there are security advisories published by Intel after tcbDate
that are for issues whose mitigations are currently enforced* by SGX/TDX attestation,
then the value of tcbStatus for the TCB level will not be UpToDate.
Otherwise (i.e., either no advisories after or not currently enforced),
the value of tcbStatus for the TCB level will not be OutOfDate.
The time shall be in UTC and the encoding shall
be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
tcbStatus:
type: string
enum:
- UpToDate
- OutOfDate
- Revoked
description: >-
TCB level status. One of the following values:
"UpToDate" - TCB level of the TDX SEAM Module is up-to-date.
"OutOfDate" - TCB level of TDX SEAM Module is outdated.
"Revoked" - TCB level of TDX SEAM Module is revoked.
The platform is not trustworthy.
advisoryIDs:
type: array
description: >-
Array of Advisory IDs referring to Intel security advisories that
provide insight into the reason(s) for the value of tcbStatus for
this TCB level when the value is not UpToDate.
This field is optional. It will be present only
if the list of Advisory IDs is not empty.
items:
type: string
tcbLevels:
type: array
description: >-
Sorted list of supported TCB levels for given FMSPC
encoded as a JSON array of TCB level objects
items:
type: object
properties:
tcb:
type: object
properties:
sgxtcbcomponents:
description: >-
Array of 16 SGX TCB Components (as in CPUSVN) encoded as a JSON array of TCB Component objects.
items:
properties:
svn:
type: "integer"
description: SVN of TCB Component. This field is mandatory.
category:
type: "string"
description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components.
type:
type: "string"
description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components.
pcesvn:
type: integer
example: 0
minimum: 0
maximum: 65535
tdxtcbcomponents:
description: >-
Array of 16 TDX TCB Components (as in TEE TCB SVN array in TD Report) encoded as a JSON array of TCB Component objects.
This field is optional and only present in TDX TCB Info.
items:
properties:
svn:
type: "integer"
description: SVN of TCB Component. This field is mandatory.
category:
type: "string"
description: Category of TCB Component (e.g. ucode, BIOS, SW). This field is optional and will be present only for selected TCB Components.
type:
type: "string"
description: Type of TCB Component (e.g. Patch@Reset, Late Patch). This field is optional and will be present only for selected TCB Components.
tcbDate:
type: string
format: date-time
description: >-
If there are security advisories published by Intel after tcbDate
that are for issues whose mitigations are currently enforced* by SGX attestation,
then the value of tcbStatus for the TCB level will not be UpToDate.
Otherwise (i.e., either no advisories after or not currently enforced),
the value of tcbStatus for the TCB level will not be OutOfDate.
The time shall be in UTC and the encoding shall
be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
tcbStatus:
type: string
enum:
- UpToDate
- SWHardeningNeeded
- ConfigurationNeeded
- ConfigurationAndSWHardeningNeeded
- OutOfDate
- OutOfDateConfigurationNeeded
- Revoked
description: >-
TCB level status. One of the following values:
"UpToDate" - TCB level of the SGX platform is up-to-date.
"SWHardeningNeeded" - TCB level of the SGX platform
is up-to-date but due to certain issues affecting the
platform, additional SW Hardening in the attesting
SGX enclaves may be needed.
"ConfigurationNeeded" - TCB level of the SGX platform
is up-to-date but additional configuration of SGX
platform may be needed.
"ConfigurationAndSWHardeningNeeded" - TCB level of the
SGX platform is up-to-date but additional configuration
for the platform and SW Hardening in the attesting SGX
enclaves may be needed.
"OutOfDate" - TCB level of SGX platform is outdated.
"OutOfDateConfigurationNeeded" - TCB level of SGX
platform is outdated and additional configuration
of SGX platform may be needed.
"Revoked" - TCB level of SGX platform is revoked.
The platform is not trustworthy.
advisoryIDs:
type: array
description: >-
Array of Advisory IDs referring to Intel security advisories that
provide insight into the reason(s) for the value of tcbStatus for
this TCB level when the value is not UpToDate.
Note: The value can be different for different
FMSPCs.
This field is optional. It will be present only
if the list of Advisory IDs is not empty.
items:
type: string
signature:
type: string
description: >-
Base 16-encoded string representation of signature calculated over tcbInfo
body without whitespaces using TCB Signing Key
i.e:
{"version":2,"issueDate":"2019-07-30T12:00:00Z","nextUpdate":"2019-08-30T12:00:00Z",...}
Appendix B: Enclave Identity V2
Model
EnclaveIdentityV2 (JSON) - SGX Enclave Identity data structure encoded as JSON string in case of success (200 HTTP status code)
EnclaveIdentityV2:
type: object
description: SGX Enclave Identity data structure encoded as JSON string in case of success
(200 HTTP status code)
properties:
enclaveIdentity:
type: object
properties:
id:
type: string
description: Identifier of the SGX Enclave issued by Intel. Supported values are QE, QVE, QAE and TD_QE
version:
type: integer
example: 2
description: Version of the structure
issueDate:
type: string
format: date-time
description: >-
Representation of date and time the Enclave Identity information
was created. The time shall be in UTC and the encoding shall
be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
nextUpdate:
type: string
format: date-time
description: >-
Representation of date and time by which next Enclave Identity
information will be issued. The time shall be in
UTC and the encoding shall be compliant to ISO 8601 standard
(YYYY-MM-DDThh:mm:ssZ)
tcbEvaluationDataNumber:
type: integer
example: 2
description: >-
A monotonically increasing sequence number changed
when Intel updates the content of the TCB evaluation data
set: TCB Info, QE Identity, QVE Identity and QAE Identity. The tcbEvaluationDataNumber
update is synchronized across TCB Info for all flavors of
SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE/QAE
Identity. This sequence number allows users to easily determine
when a particular TCB Info/QE Identity/QVE Identity/QAE Identity superseedes
another TCB Info/QE Identity/QVE Identity/QAE Identity (value: current
TCB Recovery event number stored in the database).
miscselect:
type: string
pattern: ^[0-9a-fA-F]{8}$
example: '00000000'
description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
miscselectMask:
type: string
pattern: ^[0-9a-fA-F]{8}$
example: '00000000'
description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
attributes:
type: string
pattern: ^[0-9a-fA-F]{32}$
example: '00000000000000000000000000000000'
description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
attributesMask:
type: string
pattern: ^[0-9a-fA-F]{32}$
example: '00000000000000000000000000000000'
description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
mrsigner:
type: string
pattern: ^[0-9a-fA-F]{64}$
example: '0000000000000000000000000000000000000000000000000000000000000000'
description: Base 16-encoded string representing mrsigner hash.
isvprodid:
type: integer
example: 0
minimum: 0
maximum: 65535
description: Enclave Product ID.
tcbLevels:
description: >-
Sorted list of supported Enclave TCB levels for given
QE encoded as a JSON array of Enclave TCB level objects.
type: array
items:
type: object
properties:
tcb:
type: object
properties:
isvsvn:
description: SGX Enclave's ISV SVN
type: integer
tcbDate:
type: string
format: date-time
description: >-
If there are security advisories published by Intel after tcbDate
that are for issues whose mitigations are currently enforced* by SGX attestation,
then the value of tcbStatus for the TCB level will not be UpToDate.
Otherwise (i.e., either no advisories after or not currently enforced),
the value of tcbStatus for the TCB level will not be OutOfDate.
The time shall be in UTC and the encoding shall
be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
tcbStatus:
type: string
enum:
- UpToDate
- OutOfDate
- Revoked
description: >-
TCB level status. One of the following values:
"UpToDate" - TCB level of the SGX platform is up-to-date.
"OutOfDate" - TCB level of SGX platform is outdated.
"Revoked" - TCB level of SGX platform is revoked.
The platform is not trustworthy.
advisoryIDs:
type: array
description: >-
Array of Advisory IDs referring to Intel security advisories that
provide insight into the reason(s) for the value of tcbStatus for
this TCB level when the value is not UpToDate.
This field is optional. It will be present only
if the list of Advisory IDs is not empty.
items:
type: string
signature:
type: string
description: Hex-encoded string representation of a signature calculated
over qeIdentity body (without whitespaces) using TCB Info Signing Key.
PCK Certificate and CRL Specification
This document specifies the hierarchy and format of X.509 v3 certificates and X.509 v2 Certificate Revocation Lists (CRLs) issued by Intel for Provisioning Certification Keys.
* Enforcement of a mitigation means that 1) the attestation process can tell whether the mitigation is present or not and 2) the attestation result will be different when the mitigation is present than when it's not. Intel offers verifiers and relying parties different enforcement grace periods through use of an "update" (PCS API) parameter. The value of this parameter can be standard (default) or early. Conclusions drawn when using one value of the parameter should not be applied globally, that is, when enforcement occurs depends on which value of the update parameter is used. Here, attestation result refers to the result of the objective assessment of the attestation, the assessment that only considers whether mitigations are present or not. Relying parties are free to also use additional factors, of their choosing, to determine whether to trust the attesting platform. The relying party's "trust decision" may be different than that suggested by the attestation result. For example, in cases where the attestation result is out of date, but only due to mitigations for very low severity issues being absent, the relying party may choose to proceed as though the attesting platform were up to date, accepting all the security risks of doing so.
** Intel will strive to communicate planned deviations from this schedule via email notifications to registered API subscribers.
Intel, the Intel logo and Xeon are trademarks of Intel Corporation or its subsidiaries.