README
¶
check CLI tool
This binary is a thin wrapper around the verify library to
check Intel TDX quotes against expectations.
The tool's input is an Intel TDX quote.
The tool's output is an error or "Success".
Usage
./check [options...]
-in
This flag provides the path to the quote to check. Stdin is "-".
-inform
The format that input takes. One of
bin: for a raw binary quote.proto: A binary serializedtdx.QuoteV4message.textproto: Thetdx.QuoteV4message in textproto format.
Default value is bin.
-quiet
If set, doesn't write exit errors to Stdout. All results are communicated through exit code.
-verbosity
Used to set the verbosity of logger, where higher number means more verbose output.
Default value is 0.
-check_crl
Checks if the PCK certificate and the intermediate certificate of the PCK
certificate chain has been revoked, and errors if so. Default false. Requires
-get_collateral to be true so that CRLs are downloaded from the network.
Note: For more details about PCK CRLs refer Intel's PCK CRL specification
-get_collateral
Uses the network to download "collateral" elements:
- CRLs (if
-check_crl) - The Intel quoting enclave (QE) Identity, and
- TCB info from Intel's PCS.
Default false.
Examples
The following example checks a binary quote, downloads collaterals, checks the quote against collaterals, and checks certificate revocations.
$ ./check -in quote.dat -inform bin -get_collateral -check_crl
Exit code meaning
- 0: Success
- 1: Failure due to tool misuse
- 2: Failure due to quote parsing errors, invalid signatures, certificates or collateral mismatch
- 3: Failure due to an issue with the network or Intel's PCS
Documentation
Source Files