matter-labs · haraldh · Jun 27, 2025 · Jun 25, 2025
@@ -0,0 +1,149 @@
+# teepot-tdx-attest-rs
+
+[![Crates.io](https://img.shields.io/crates/v/teepot-tdx-attest-rs.svg)](https://crates.io/crates/teepot-tdx-attest-rs)
+[![Documentation](https://docs.rs/teepot-tdx-attest-rs/badge.svg)](https://docs.rs/teepot-tdx-attest-rs)
+[![License](https://img.shields.io/crates/l/teepot-tdx-attest-rs.svg)](LICENSE)
+
+Rust bindings for Intel TDX (Trust Domain Extensions) attestation functionality. This crate provides a safe Rust interface to the Intel TDX attestation library, enabling trusted execution environments to generate attestation quotes and reports.
+
+This is a fork of the original [tdx-attest-rs](https://github.com/intel/SGXDataCenterAttestationPrimitives) crate, maintained as part of the [Teepot](https://github.com/matter-labs/teepot) project.
+
+## Features
+
+- Request TDX attestation quotes
+- Generate TDX reports
+- Extend runtime measurement registers (RTMRs)
+- Query supported attestation key IDs
+- Safe Rust wrappers around the Intel TDX attestation C library
+
+## Installation
+
+Add this to your `Cargo.toml`:
+
+```toml
+[dependencies]
+teepot-tdx-attest-rs = "0.1.2"
+```
+
+## Usage
+
+### Generate a TDX Quote
+
+```rust
+use teepot_tdx_attest_rs::*;
+
+// Prepare report data (typically a hash you want to bind to the quote)
+let tdx_report_data = tdx_report_data_t {
+    d: [0; 64], // Your data here
+};
+
+// List of supported attestation key IDs
+let att_key_id_list = [tdx_uuid_t {
+    d: [0; 16], // Your key ID
+}];
+
+let mut att_key_id = tdx_uuid_t {
+    d: [0; 16],
+};
+
+// Request the quote
+let (result, quote) = tdx_att_get_quote(
+    Some(&tdx_report_data),
+    Some(&att_key_id_list),
+    Some(&mut att_key_id),
+    0
+);
+
+match result {
+    tdx_attest_error_t::TDX_ATTEST_SUCCESS => {
+        // Process the quote
+        if let Some(quote_data) = quote {
+            println!("Quote generated successfully, size: {}", quote_data.len());
+        }
+    }
+    _ => {
+        println!("Failed to generate quote: {:?}", result);
+    }
+}
+```
+
+### Generate a TDX Report
+
+```rust
+use teepot_tdx_attest_rs::*;
+
+let tdx_report_data = tdx_report_data_t {
+    d: [0; 64], // Your report data
+};
+
+let mut tdx_report = tdx_report_t {
+    d: [0; 1024],
+};
+
+let result = tdx_att_get_report(Some(&tdx_report_data), &mut tdx_report);
+
+if result == tdx_attest_error_t::TDX_ATTEST_SUCCESS {
+    println!("Report generated successfully");
+}
+```
+
+### Extend RTMR
+
+```rust
+use teepot_tdx_attest_rs::*;
+
+// Prepare RTMR event data
+let rtmr_event = vec![0u8; 68]; // Your event data
+
+let result = tdx_att_extend(&rtmr_event);
+
+if result == tdx_attest_error_t::TDX_ATTEST_SUCCESS {
+    println!("RTMR extended successfully");
+}
+```
+
+### Get Supported Attestation Key IDs
+
+```rust
+use teepot_tdx_attest_rs::*;
+
+let (result, att_key_ids) = tdx_att_get_supported_att_key_ids();
+
+if result == tdx_attest_error_t::TDX_ATTEST_SUCCESS {
+    if let Some(ids) = att_key_ids {
+        println!("Found {} supported attestation key IDs", ids.len());
+    }
+}
+```
+
+## Error Handling
+
+The crate uses the `tdx_attest_error_t` enum for error reporting. Common error values include:
+
+- `TDX_ATTEST_SUCCESS` - Operation completed successfully
+- `TDX_ATTEST_ERROR_INVALID_PARAMETER` - Invalid parameter provided
+- `TDX_ATTEST_ERROR_DEVICE_FAILURE` - Failed to access TDX attestation device
+- `TDX_ATTEST_ERROR_OUT_OF_MEMORY` - Memory allocation failure
+- `TDX_ATTEST_ERROR_UNSUPPORTED_ATT_KEY_ID` - Unsupported attestation key ID
+
+## Requirements
+
+- Intel TDX-enabled hardware
+- TDX attestation runtime environment
+- The `teepot-tdx-attest-sys` crate (automatically included as a dependency)
+
+## Safety
+
+This crate provides safe Rust wrappers around unsafe FFI calls to the Intel TDX attestation library. All pointer operations are handled internally, and the API uses Rust's type system to ensure safety.
+
+## License
+
+This project is licensed under the BSD-3-Clause License - see the [License.txt](License.txt) file for details.
+
+## Contributing
+
+This is a fork maintained as part of the Teepot project. For contributions, please visit the [Teepot repository](https://github.com/matter-labs/teepot).
+
+## Original Work
+
+This crate is based on Intel's SGX Data Center Attestation Primitives. The original source can be found at [Intel's repository](https://github.com/intel/SGXDataCenterAttestationPrimitives).
@@ -0,0 +1,46 @@
+# teepot-tdx-attest-sys
+
+[![Crates.io](https://img.shields.io/crates/v/teepot-tdx-attest-sys.svg)](https://crates.io/crates/teepot-tdx-attest-sys)
+[![Documentation](https://docs.rs/teepot-tdx-attest-sys/badge.svg)](https://docs.rs/teepot-tdx-attest-sys)
+[![License](https://img.shields.io/crates/l/teepot-tdx-attest-sys.svg)](https://github.com/matter-labs/teepot/blob/main/crates/teepot-tdx-attest-sys/License.txt)
+
+Raw FFI bindings to Intel TDX Attestation Library (`libtdx_attest`).
+
+This crate provides low-level FFI bindings for Intel Trust Domain Extensions (TDX) attestation functionality. It is a fork of the original [tdx-attest-sys](https://github.com/intel/SGXDataCenterAttestationPrimitives) crate from Intel's SGX Data Center Attestation Primitives.
+
+## Prerequisites
+
+Before using this crate, you need to install:
+
+- Intel® SGX DCAP Driver
+- Intel® SGX SDK
+- Intel® SGX DCAP Packages
+- Intel® SGX DCAP PCCS (Provisioning Certificate Caching Service)
+
+Please refer to the [SGX DCAP Linux installation guide](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf) for detailed installation instructions.
+
+## Usage
+
+Add this to your `Cargo.toml`:
+
+```toml
+[dependencies]
+teepot-tdx-attest-sys = "0.1.0"
+```
+
+This crate provides raw FFI bindings. For a more ergonomic Rust API, consider using a higher-level wrapper crate.
+
+## Building
+
+The crate uses `bindgen` to generate Rust bindings from the C headers during build time. Make sure you have:
+
+- The TDX attestation library (`libtdx_attest`) installed on your system
+- If using Intel SGX SDK, set the `SGX_SDK` environment variable to point to your SDK installation
+
+## License
+
+This project is licensed under the BSD-3-Clause License. See the [License.txt](License.txt) file for details.
+
+## Repository
+
+This crate is part of the [Teepot](https://github.com/matter-labs/teepot) project.
@@ -0,0 +1,182 @@
+# teepot-tee-quote-verification-rs
+
+[![Crates.io](https://img.shields.io/crates/v/teepot-tee-quote-verification-rs.svg)](https://crates.io/crates/teepot-tee-quote-verification-rs)
+[![Documentation](https://docs.rs/teepot-tee-quote-verification-rs/badge.svg)](https://docs.rs/teepot-tee-quote-verification-rs)
+[![License](https://img.shields.io/crates/l/teepot-tee-quote-verification-rs.svg)](https://github.com/matter-labs/teepot/blob/main/LICENSE)
+
+A Rust wrapper for Intel® Software Guard Extensions (SGX) and Trust Domain Extensions (TDX) quote verification.
+
+This crate is a fork of the original [intel-tee-quote-verification-rs](https://github.com/intel/SGXDataCenterAttestationPrimitives) crate, providing safe Rust bindings for the Intel Quote Verification Library (QVL).
+
+## Features
+
+- Safe Rust wrappers for SGX and TDX quote verification APIs
+- Support for both SGX ECDSA and TDX ECDSA quote verification
+- Collateral management for quote verification
+- Supplemental data handling
+- Cross-platform support (Linux x86_64)
+
+## Usage
+
+Add this to your `Cargo.toml`:
+
+```toml
+[dependencies]
+teepot-tee-quote-verification-rs = "0.6.0"
+```
+
+### Example: Verify an SGX Quote
+
+```rust
+use teepot_tee_quote_verification_rs::*;
+
+fn verify_sgx_quote(quote: &[u8]) -> Result<(), quote3_error_t> {
+    // Get collateral for the quote
+    let collateral = tee_qv_get_collateral(quote)?;
+
+    // Get supplemental data size
+    let supp_data_size = sgx_qv_get_quote_supplemental_data_size()?;
+    let mut supp_data = sgx_ql_qv_supplemental_t::default();
+
+    // Verify the quote
+    let current_time = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs() as i64;
+
+    let (expiration_status, verification_result) = sgx_qv_verify_quote(
+        quote,
+        Some(&collateral),
+        current_time,
+        None, // QvE report info (None for host-based verification)
+        supp_data_size,
+        Some(&mut supp_data),
+    )?;
+
+    match verification_result {
+        sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK => {
+            println!("Quote verification passed!");
+            Ok(())
+        }
+        _ => {
+            println!("Quote verification failed: {:?}", verification_result);
+            Err(quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER)
+        }
+    }
+}
+```
+
+### Example: Verify a TDX Quote
+
+```rust
+use teepot_tee_quote_verification_rs::*;
+
+fn verify_tdx_quote(quote: &[u8]) -> Result<(), quote3_error_t> {
+    // Get collateral for the quote
+    let collateral = tee_qv_get_collateral(quote)?;
+
+    // Get supplemental data size
+    let supp_data_size = tdx_qv_get_quote_supplemental_data_size()?;
+    let mut supp_data = sgx_ql_qv_supplemental_t::default();
+
+    // Verify the quote
+    let current_time = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs() as i64;
+
+    let (expiration_status, verification_result) = tdx_qv_verify_quote(
+        quote,
+        Some(&collateral),
+        current_time,
+        None, // QvE report info
+        supp_data_size,
+        Some(&mut supp_data),
+    )?;
+
+    match verification_result {
+        sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK => {
+            println!("TDX quote verification passed!");
+            Ok(())
+        }
+        _ => {
+            println!("TDX quote verification failed: {:?}", verification_result);
+            Err(quote3_error_t::SGX_QL_ERROR_INVALID_PARAMETER)
+        }
+    }
+}
+```
+
+### Unified TEE Quote Verification
+
+For a unified interface that works with both SGX and TDX quotes:
+
+```rust
+use teepot_tee_quote_verification_rs::*;
+
+fn verify_tee_quote(quote: &[u8]) -> Result<(), quote3_error_t> {
+    // Get collateral
+    let collateral = tee_qv_get_collateral(quote)?;
+
+    // Get supplemental data version and size
+    let (version, data_size) = tee_get_supplemental_data_version_and_size(quote)?;
+
+    // Prepare supplemental data descriptor
+    let mut supp_data_desc = tee_supp_data_descriptor_t {
+        major_version: version,
+        data_size,
+        p_data: std::ptr::null_mut(),
+    };
+
+    // Allocate buffer for supplemental data if needed
+    let mut supp_data_buffer = vec![0u8; data_size as usize];
+    if data_size > 0 {
+        supp_data_desc.p_data = supp_data_buffer.as_mut_ptr();
+    }
+
+    // Verify quote
+    let current_time = std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap()
+        .as_secs() as i64;
+
+    let (expiration_status, verification_result) = tee_verify_quote(
+        quote,
+        Some(&collateral),
+        current_time,
+        None,
+        Some(&mut supp_data_desc),
+    )?;
+
+    println!("Verification result: {:?}", verification_result);
+    println!("Collateral expiration status: {}", expiration_status);
+
+    Ok(())
+}
+```
+
+## Platform Support
+
+This crate is currently supported on:
+- Linux x86_64
+
+On other platforms, the crate will compile but provide stub implementations.
+
+## Dependencies
+
+On Linux x86_64, this crate depends on:
+- `intel-tee-quote-verification-sys`: System bindings for Intel QVL
+- `teepot-tdx-attest-rs`: TDX attestation support
+
+## License
+
+This project is licensed under the BSD-3-Clause License. See the [LICENSE](https://github.com/matter-labs/teepot/blob/main/LICENSE) file for details.
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request to the [Teepot repository](https://github.com/matter-labs/teepot).
+
+## Related Crates
+
+- [intel-tee-quote-verification-rs](https://github.com/intel/SGXDataCenterAttestationPrimitives) - The original Intel crate
+- [teepot-tdx-attest-rs](https://crates.io/crates/teepot-tdx-attest-rs) - TDX attestation support