Skip to content

as: ear: tdx policy updates #1224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
mythi wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

as: ear: tdx policy updates #1224

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
35d13be
as: policy: drop TDX Module detailed checks from default_cpu
mythi Mar 13, 2026
7e49945
as: policy: check tcb_status in az_tdx_vtpm
mythi Mar 13, 2026
9be4da2
as: policy: add TDX example about tcb_date
mythi Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions attestation-service/src/ear_token/ear_default_policy_cpu.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,14 +174,27 @@ hardware := 2 if {
input.tdx.quote.header.tee_type == "81000000"
input.tdx.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"

# Check TDX Module version and its hash. Also check OVMF code hash.
input.tdx.quote.body.mr_seam in query_reference_value("mr_seam")
input.tdx.quote.body.tcb_svn in query_reference_value("tcb_svn")
# Check OVMF code hash.
input.tdx.quote.body.mr_td in query_reference_value("mr_td")

# Check TCB status
input.tdx.tcb_status == "UpToDate"

# Check minimum TCB date
# An alternative check to tcb_status is to define a minimum acceptable
# TCB date. TCB dates are associated with TCB Recovery events to which
# the platforms are certified.
#
# Available TCB dates can be checked using:
# curl -s https://api.trustedservices.intel.com/tdx/certification/v4/tcbevaluationdatanumbers | jq
#
# Example: in some cases, "OutOfDate" tcb_status can be accepted as long as
# the tcb_date is not older than a given date from a past TCB Recovery event:
# min_tcb_date := "2025-08-13T00:00:00Z"
# attester_tcb_date_ns := time.parse_rfc3339_ns(input.tdx.tcb_date)
# min_tcb_date_ns := time.parse_rfc3339_ns(min_tcb_date)
# attester_tcb_date_ns >= min_tcb_date_ns

# Check collateral expiration status
input.tdx.collateral_expiration_status == "0"
# Check against allowed advisory ids
Expand Down Expand Up @@ -269,10 +282,13 @@ hardware := 2 if {
input.az_tdx_vtpm.quote.header.tee_type == "81000000"
input.az_tdx_vtpm.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"

# Check TDX Module version and its hash. Also check OVMF code hash.
input.az_tdx_vtpm.quote.body.mr_seam in query_reference_value("mr_seam")
input.az_tdx_vtpm.quote.body.tcb_svn in query_reference_value("tcb_svn")
# Check OVMF code hash.
input.az_tdx_vtpm.quote.body.mr_td in query_reference_value("mr_td")

# Check TCB status
input.az_tdx_vtpm.tcb_status == "UpToDate"

# Check minimum TCB date (See TDX section for details.)
}

configuration := 2 if {
Expand Down
Loading