Intel® Trust Authority TDX CLI
An easy-to-use command line interface for attesting TDX TEE(TD) with Intel Trust Authority. The CLI will be installed and run inside the TD.
Prerequisites
The default TDX CLI has dependency on Intel SGX DCAP. Install TDX Attestation library dev package from Intel SGX DCAP. Instructions follows.
For Ubuntu* OS
Install the Debian package for libtdx-attest-dev
following these steps:
- Add the following repository to your sources:
- For Ubuntu* 20.04:
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
- For Ubuntu* 22.04:
echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
- Get the Debian repo public key and add it to the list of trusted keys that are used by apt to authenticate packages:
- For Ubuntu* 20.04:
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
- For Ubuntu* 22.04:
wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
- Update apt and install the libtdx-attest-dev package:
sudo apt-get update
sudo apt-get install libtdx-attest-dev
For RHEL* OS
Install the RPM package for libtdx-attest-devel
following these steps:
- Find RPM packages for DCAP libraries and services, which are currently provided in a single TAR archive at
https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/
- Download the file
sgx_rpm_local_repo.tgz
to a selected folder, for example /opt/intel
cd /opt/intel
sudo wget https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/sgx_rpm_local_repo.tgz
- Verify the downloaded repo file with the SHA value in this file:
https://download.01.org/intel-sgx/latest/dcap-latest/linux/SHA256SUM_dcap_.cfg
sha256sum sgx_rpm_local_repo.tgz
- Expand the archive:
sudo tar xvf sgx_rpm_local_repo.tgz
- Add the RPM local repository to your local repository list
sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO
- Install all the latest packages using
sudo dnf --nogpgcheck install <package names>
sudo dnf --nogpgcheck install libtdx-attest-devel
Go Requirement
Use go1.19 or newer. Follow https://go.dev/doc/install for installation of Go.
Installation
Build
Compile Intel Trust Authority TDX CLI. This will generate trustauthority-cli
binary in current directory:
cd tdx-cli/
make cli
Unit Tests
To run the tests, run cd tdx-cli && make test-coverage
See the example test in tdx-cli/token_test.go
for an example of a test.
Usage
To get list of all the available commands
trustauthority-cli --help
More info about a specific command can be found using
trustauthority-cli <command> --help
To create RSA keypair
trustauthority-cli create-key-pair --pub-path <public key file path>
To get Intel Trust Authority signed token
token
command requires Intel Trust Authority configuration to be passed in json format
{
"trustauthority_api_url": "<trustauthority attestation api url>",
"trustauthority_api_key": "<trustauthority attestation api key>"
}
Save this data in config.json file and invoke token
command
trustauthority-cli token --config config.json --user-data <base64 encoded userdata> --policy-ids <comma separated trustauthority attestation policy ids>
OR
trustauthority-cli token --config config.json --pub-path <public key file path> --policy-ids <comma separated trustauthority attestation policy ids>
To get TD quote with Nonce and UserData
trustauthority-cli quote --nonce <base64 encoded nonce> --user-data <base64 encoded userdata>
To decrypt an encrypted blob
trustauthority-cli decrypt --key-path <private key file path> --in <base64 encoded encrypted blob>
OR
trustauthority-cli decrypt --key <base64 encoded private key> --in <base64 encoded encrypted blob>
To verify Intel Trust Authority signed token
verify
command requires Intel Trust Authority URL to be passed in json format
{
"trustauthority_url": "<trustauthority url>"
}
Save this data in config.json file and invoke verify
command
trustauthority-cli verify --config config.json --token <attestation token in JWT format>
License
This source is distributed under the BSD-style license found in the LICENSE
file.