+Chong Cai Adding a colleague per his request since he's not subscribed to the list yet. On Mon, Mar 27, 2023 at 10:36 AM Erdem Aktas <erdemaktas@xxxxxxxxxx> wrote: > > On Sat, Mar 25, 2023 at 11:20 PM Kuppuswamy Sathyanarayanan > <sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx> wrote: > > > > Hi All, > > > > In TDX guest, the attestation process is used to verify the TDX guest > > trustworthiness to other entities before provisioning secrets to the > > guest. > > > > The TDX guest attestation process consists of two steps: > > > > 1. TDREPORT generation > > 2. Quote generation. > > > > The First step (TDREPORT generation) involves getting the TDX guest > > measurement data in the format of TDREPORT which is further used to > > validate the authenticity of the TDX guest. The second step involves > > sending the TDREPORT to a Quoting Enclave (QE) server to generate a > > remotely verifiable Quote. TDREPORT by design can only be verified on > > the local platform. To support remote verification of the TDREPORT, > > TDX leverages Intel SGX Quoting Enclave to verify the TDREPORT > > locally and convert it to a remotely verifiable Quote. Although > > attestation software can use communication methods like TCP/IP or > > vsock to send the TDREPORT to QE, not all platforms support these > > communication models. So TDX GHCI specification [1] defines a method > > for Quote generation via hypercalls. Please check the discussion from > > Google [2] and Alibaba [3] which clarifies the need for hypercall based > Thanks Sathyanarayanan for submitting patches again. > > I just wanted to reiterate what I said before that having a clean > TDVMCALL based interface to get TDX Quote without any virtio/vsock > dependency is critical for us to support many use cases. -- -Dionna Glaze, PhD (she/her)
