A minimal TDX remote attestation implementation demonstrating:
- Server runs on genuine Intel TDX hardware
- Application binary verification via hash in TDX quote
- OS/VM integrity via MRTD verification
- Freshness via client-generated nonce
cargo build --release -p server
./target/release/server
# Output:
# =================================================
# TDX Attestation Server
# =================================================
# Listening on http://0.0.0.0:8080
# Endpoints:
# GET /info - Get server and host information
# POST /attest - Generate attestation quote# Basic attestation (no application verification)
cargo build --release -p client
./target/release/client --server http://YOUR_SERVER:8080
# With application verification
# First, calculate expected hash:
sha256sum /usr/bin/curl | awk '{ print $1 }'
# aca992dba6da014cd5baaa739624e68362c8930337f3a547114afdbd708d06a4
./target/release/client \
--server http://YOUR_SERVER:8080 \
--application curl \
--expected-application-hash aca992dba6da014cd5baaa739624e68362c8930337f3a547114afdbd708d06a4
# Verification steps:
# ✓ Server information fetched
# ✓ Nonce generated
# ✓ Attestation received
# ✓ TDX quote parsed
# ✓ Nonce verified (freshness)
# ✓ Application hash verified
# ✓ MRTD verified┌──────────┐ ┌──────────┐
│ Client │ │ Server │
│ │ │ (TDX) │
└────┬─────┘ └────┬─────┘
│ │
│ 1. GET /info │
│────────────────────────────────────────>│
│ │
│<────────────────────────────────────────│
│ { cloud_provider, os_image, mrtd } │
│ │
│ 2. Generate nonce (32 bytes) │
│ │
│ 3. POST /attest │
│ { nonce, application? } │
│────────────────────────────────────────>│
│ │
│ │ 4. Hash application (if requested)
│ │ 5. Build report_data:
│ │ [nonce][app_hash]
│ │ 6. Generate TDX quote
│ │
│<────────────────────────────────────────│
│ { quote_b64 } │
│ │
│ 7. Parse TDX quote │
│ 8. Extract report_data from quote │
│ 9. Verify nonce matches (freshness) │
│ 10. Verify application hash │
│ 11. Verify MRTD against known images │
│ │
└─ ✓ TRUSTED │
report_data [64 bytes]:
[0..32] = nonce (client-generated, prevents replay)
[32..64] = SHA256(application_binary) or zeros
Key Security Property: The client extracts report_data from the cryptographically signed TDX quote, not from server claims. The server cannot lie about what's in the quote.
Returns server and host information.
Response:
{
"cloud_provider": "gcp",
"os_image": "ubuntu-2404-noble-amd64-v20251014",
"mrtd": "a5844e88897b70c318bef929ef4dfd6c7304c52c4bc9c3f39132f0fdccecf3eb5bab70110ee42a12509a31c037288694"
}Generates a TDX attestation quote.
Request:
{
"nonce": "64-character-hex-string",
"application": "curl" // Optional: binary name to verify
}Response:
{
"quote_b64": "base64-encoded-tdx-quote"
}The quote contains the report_data which the client must parse and verify.
| Property | Verification | Trust Anchor |
|---|---|---|
| Hardware | TDX quote signature + PCK certificate chain | Intel (via DCAP) |
| OS Image | MRTD comparison | Cloud provider + known images DB |
| Application Binary | Hash in quote's report_data | TDX hardware measurement |
| Freshness | Nonce in quote's report_data | Client-generated randomness |
✓ Protects against:
- Fake TDX hardware (Intel signature + certificate chain verified via DCAP)
- Wrong OS image (MRTD verification)
- Tampered application binary (hash in TDX quote)
- Replay attacks (nonce verification)
- Server lying about report_data (extracted from signed quote)
⚠ Does NOT protect against:
- Server operator swapping application after attestation
- Malicious server operator with root access (see
SECURITY-ADVANCED.mdfor solutions)
Key Functions:
get_mrtd()- Extracts MRTD usingLinuxTdxProvider::get_launch_measurement()detect_host_info()- Detects cloud provider and OS imagehash_file()- Computes SHA256 of application binarycreate_tdx_quote()- Generates TDX quote via configfs-tsm
Report Data Construction:
let mut report_data = [0u8; 64];
report_data[..32].copy_from_slice(&nonce);
report_data[32..].copy_from_slice(&app_hash); // or zeros if no appKey Functions:
verify_mrtd_against_known_images()- Checks MRTD against database- Uses
tdx-quotecrate to parse TDX quotes and extract report_data
Verification Steps:
- Fetch server info (
/info) - Generate 32-byte nonce
- Request attestation (
/attest) - Parse TDX quote using
tdx_quote::Quote::from_bytes() - Extract report_data from quote using
quote.report_input_data() - Verify nonce matches (bytes 0-32)
- Verify application hash (bytes 32-64) if provided
- Verify MRTD against known images
The client maintains a list of known OS images with their MRTDs in client/src/main.rs:
const KNOWN_OS_IMAGES: &[KnownImage] = &[
KnownImage {
name: "ubuntu-2404-noble-amd64-v20251014",
mrtd: "a5844e88897b70c318bef929ef4dfd6c7304c52c4bc9c3f39132f0fdccecf3eb5bab70110ee42a12509a31c037288694",
description: "Ubuntu 24.04 Noble (2025-10-14) on GCP",
},
];To add a new OS image:
- Deploy and run your TDX server
- Call
/infoendpoint to get the MRTD - Add entry to
KNOWN_OS_IMAGESarray - Recompile client
Implementation: Uses Intel's official dcap-qvl (Quote Verification Library) for complete certificate chain verification.
What it verifies:
- Fetches collateral from Intel PCS (Provisioning Certification Service)
- Verifies PCK certificate chain up to Intel root CA
- Verifies quote signature with attestation key
- Validates TCB (Trusted Computing Base) status
Library: dcap-qvl = "0.3" - Pure Rust implementation supporting both SGX and TDX quotes
Note: Requires network access to Intel PCS during verification. For offline verification, collateral can be cached.
- Protecting against malicious operators: See
SECURITY-ADVANCED.mdfor solutions including:- Sealed Enclave (recommended for high security)
- Multi-Party Computation
- HSM Hybrid approach
- Continuous Re-Attestation