On Tue, 2022-09-13 at 18:23 -0700, Sathyanarayanan Kuppuswamy wrote: > Attestation is used to verify the TDX guest trustworthiness to other > > entities before provisioning secrets to the guest. For example, a key > > server may request attestation quote before releasing the encryption > > keys to mount the encrypted rootfs or secondary drive. I would replace "may request attestation quote" to "may want to use attestation to verify the guest is the desired one". The "quote" was never mentioned before here so it's -EPARSE. Also getting the quote is not the purpose, the purpose is to get it verified by verification service. > > > > The TDX module records the state of the TDX guest in various stages of > > the guest boot process using build time measurement register (MRTD) and > > runtime measurement registers (RTMR). Measurements related to guest > > initial configuration and firmware image are recorded in the MRTD > > register. Measurements related to initial state, kernel image, firmware > > image, command line options, initrd, ACPI tables, etc are recorded in > > RTMR registers. For more details, please refer to TDX Virtual Firmware > > design specification, sec titled "TD Measurement". At TDX guest runtime, > > the attestation process is used to attest to these measurements. I would like to point out that "TDVF is is just an example". TDVF can be replaced with other BIOS, theoretically (especially if you consider container case in the future), so all things in TDVF can only just be an "example". I don't like the idea to bind TDX architecture with TDVF. How about: "For more details as an example, please refer to TDX virtual Firmware ...". Otherwise looks good. You can have my Ack anyway: Acked-by: Kai Huang <kai.huang@xxxxxxxxx>