EAT Profile version 1.0.1. Document version 2.1, 04/10/20245
The Intel Trust Authority EAT Profile contains a complete list of all the claims that can appear in an Intel Trust Authority attestation token. Attestation tokens are issued in JWT format. The claims are derived from industry standards such as JSON Web Token (JWT), Entity Attestation Token (EAT), Remote Attestation Procedures (RATS), and the specific requirements of supported TEEs. Claim descriptions include intended use and for certain claims, the allowable data format and length, and usage tips.
For more information about Intel Trust Authority attestation tokens in general, see https://docs.trustauthority.intel.com/main/articles/concept-attestation-tokens.html.
For more information about the industry standards and technical details of TEEs, see the Resources section at the end of this document.
Note: Unlike v2 token claims, v1 claims are not nested within the “tdx” JSON element.
TPM Claims - pcrs - runtime_measurements - tcg_event_logs
The following claims are included in the JSON Object Signing and Encryption (JOSE) header object that precedes the JWT body. These claims provide information about the encryption algorithm and signing certificate.
Intel Trust Authority uses the PS384 algorithm, which is RSASSA-PSS using SHA-384 and MFG1 with SHA-384. For more information, see JSON Web Algorithms RFC7518 https://datatracker.ietf.org/doc/rfc7518/.
This is the location from which you can retrieve the JSON-encoded public token signing key identified by kid to validate the token signature. In practice, jku is advisory. The recommended best practice is to download the certificates from the Intel Trust Authority well-known URL, and then use kid to locate the key used to sign the token.
Key ID (UUID) for the signing key that is used to sign the token.
Token content type, always “JWT”.
The following claims are reused from JSON Web Token (JWT) RFC7519 https://datatracker.ietf.org/doc/html/rfc7519.
For more information about individual claims, see Section 4, JWT Claims https://datatracker.ietf.org/doc/html/rfc7519#section-4.
The term JWT in the following claim definitions refers to the JWT attestation token issued by Intel Trust Authority.
The exp claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
The jti claim provides a unique identifier (UUID) for the JWT.
The iat claim is the time when the JWT was issued. Intel Trust Authority uses Unix epoch time for timestamps.
The iss claim identifies the principal (“Intel Trust Authority”) that issued the JWT.
The nbf claim identifies the time before which the JWT MUST NOT be accepted for processing.
Entity Attestation Token (EAT) claims are defined in IETF draft-ietf-rats-eat Section 4, The Claims https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat#name-the-claims. The section numbers below refer to the draft-ietf-rats-eat document.
The eat_profile claim is a unique identifier (in this instance, a URL) for the EAT profile used by Intel Trust Authority. For more information, see Section 4.3.2 and Section 6.
The dbgstat claim applies to entity-wide or submodule-wide debug facilities of the entity like JTAG (device testing during manufacture) and diagnostic hardware built into chips. This is an important claim to check because debuggable TEEs are not secure. Never trust debuggable TEEs with secrets. For more information, see Section 4.2.9.
The intuse claim provides an indication to an EAT consumer about the intended usage of the token. The intuse claim is always “generic” for JWT issued by Intel Trust Authority. Generic is the type reserved for security-oriented attestation/appraisal tokens. For more information, see Section 4.3.3.
The following claims apply to Intel® Software Guard Extensions (Intel® SGX) enclaves.
For more information about these claims, see Intel® SGX Data Center Attestation Primitives: ECDSA Quote Library API https://download.01.org/intel-sgx/dcap-1.1/linux/docs/Intel_SGX_ECDSA_QuoteGenReference_DCAP_API_Linux_1.1.pdf.
The sgx_mrenclave contains a 256-bit hash that identifies the code and initial data to be placed inside the enclave, the expected order and position in which they are to be placed, and the security properties of those pages. A change in any of these variables will result in a different MRENCLAVE measurement.
The sgx_mrsigner claim contains a hash of the enclave author’s public key. The MRSIGNER value is part of the enclave’s signature structure (SIGSTRUCT), and serves to uniquely identify the enclave author.
The sgx_isvprodid ISV Product ID of the enclave. It is assigned by the enclave author.
The sgx_isvsvn claim contains the security version number (SVN) of the enclave. The SVN is incremented whenever there’s a security-related change to the enclave.
This claim indicates if the Intel SGX debug attribute is enabled (true) or disabled (false).
WARNING: Debug-enabled enclaves are not secure. The OS and other processes can access a debug-enabled enclave’s memory and resources. A debug enclave must never be trusted with any secret.
The config ID of the Intel SGX report.
This claim contains the contents of the 64-byte report data buffer in the Intel SGX report. This claim can be used to transfer data to a relying party, such as a nonce, hash, or cryptographic key.
Contains the hash value of the Trusted Compute Base (TCB) attestation collateral being used to verify the quote.
These claims apply to Intel® Trust Domain Extensions (Intel® TDX) trust domains (TD). The complete definitions of the claims are available in the section A.3.2 of Intel® Trust Domain Extensions Data Center Attestation Primitives (Intel® TDX DCAP) Quoting Library_API https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf.
The measurement of the Intel TDX module signer, if valid.
The measurement of the Intel TDX module.
The measurement of the initial contents of the TD.
The Intel TDX module SVN. See “SEAMSVN” in section 3.1 of Intel® TDX Loader Interface Specification https://cdrdv2.intel.com/v1/dl/getContent/733584.
The runtime extendable measurement register.
The runtime extendable measurement register.
The runtime extendable measurement register.
The runtime extendable measurement register.
The software-defined ID for TD runtime or OS configuration.
The software-defined ID for the TD’s owner.
The software-defined ID for owner-defined configuration of the TD. That is, configuration specific to the confidential workload, rather than to the TD runtime or OS.
The TD is free to provide 64 bytes of custom data to a TD report. For instance, this space can be used to hold a nonce, a public key, or a hash of a larger block of data.
Additional configuration of the TDX module.
The TD attributes bitmap. This claim contains the entire bitmap. The following claims break out certain specific attributes specified in the bitmap. For more information about the TD Attributes structure and the following attributes claims, see Section A.3.4 in the TDX DCAP Quoting Library API.
Defines whether the TD runs in TD debug mode (set to 1) or not (set to 0). For more information, see section A.3.4 of Intel® TDX DCAP Quoting Library_API.
WARNING: Debug-enabled TDs are NOT secure. In TD debug mode, the CPU state and private memory are accessible by the host VMM.
This claim indicates if the TD is allowed to use Intel® Key Locker hardware resources for AES key protection.
This claim indicates if the TD is allowed to use Perfmon and PERF_METRICS capabilities.
This claim indicates if the TD is allowed to use Supervisor Protection Keys.
This claim indicates if EPT violation conversion to #VE on TD access of PENDING pages is disabled.
Describes the TCB SVNs of TDX. For more information, see Get TDX TCB Info https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-tdx-v4.
The tdx_xfam contains an XFAM mask of CPU extended features that the TD is allowed to use. XFAM (eXtended Features Available Mask) is defined as a 64-bit bitmap. For more information, see Section 22.2.2 in the TDX Module 1.0 specification https://cdrdv2.intel.com/v1/dl/getContent/733568.
This claim indicates if the TDX debug attribute is enabled or not.
WARNING: A debug-enabled TD is not secure. When a TD is in debug mode, the hypervisor and other processes can access TD memory and resources.
The tdx_collateral claim contains the hash value of the binary TCB collateral being used to verify the the quote.
The security version number (SVN) of the Intel SGX Provisioning Certification Enclave (PCE). This is a component of the Intel TDX TCB.
Contains an array of security version numbers of Intel SGX TCB components. When the TD root of trust is the Intel SGX quoting enclave and PCE, the Intel SGX SVN components and PCE SVN are part of the TD TCB. These values can be helpful for determining why a TCB returns an OutOfDate status.
TPM claims are available in ITA’s v2 attestation endpoints and presented in a hierarchical nature residing within the “tpm” element. The “tpm” element contains ‘pcrs’, ‘runtime_measurements’ and ‘tcg_event_logs’, each containing additional sub-elements.
The PCR measurements that were included in TPM evidence. The following attributes are available for each PCR claim.
The index of the PCR (0 thru 23).
The hash algorithm used to compute the PCR digest (‘SHA-1’, ‘SHA-256’, ‘SHA-384’ or ‘SHA-512’).
The PCR’s digest/measurement.
An optional array of runtime measurements included in the system’s IMA log. The following attributes are available for each runtime measurement claim.
The numeric index of the PCR in which IMA measurements were extended (0-23).
The hash algorithm of the PCR in which IMA measurements were extended (‘SHA-1’, ‘SHA-256’, ‘SHA-384’ or ‘SHA-512’).
The hex value of the “replayed”, cumulative digest calculated by Intel Trust Authority.
An array of IMA runtime measurements items with the following elements.
The path of the file that was measured by IMA.
The hex value of the file’s measurement.
An optional array of TCG events collected from the system’s UEFI event-log (see “TCG PC Client Platform Firmware Profile Specification” at https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/). The following attributes are available for each TCG event claim.
The numeric index of the PCR in which the event measurement was extended (0-23).
A number that represents the type of the TCG event. For more information, see “Event Types” in section 10.4.1 of the “TCG PC Client Platform Firmware Profile Specification”.
When known, ITA will convert the ‘type’ field to its corresponding string to improve legibility.
The raw event binary data in standard base64 encoding.
When possible (based on well-known event types), ITA will parse the event’s raw binary and produce a JSON element to facilitate policy authoring.
When true, the hash of “event” field’s bytes matches the “digests” fields. In some events (ex. EV_EFI_BOOT_SERVICES_APPLICATION), the digest reflects the measurement of something other than the event’s bytes (ex. a kernel image). This field is provided to policy authors to indicate the level of integrity of the event’s data.
The hash that was extended to the PCR for the event. Each digest has the following attributes.
The hash algorithm used to measure the event’s binary data (‘SHA-1’, ‘SHA-256’, ‘SHA-384’ or ‘SHA-512’).
The measurement of the event’s raw binary data in hex.
The following claims are related to the attester, that is, the confidential process that requested an attestation token. These claims include details about the platform, and allow the attester to transfer data to the relying party via the _data claims.
The TEE type of the attesting platform, currently one of “SGX” or “TDX”.
Array of Advisory IDs referring to Intel security advisories that provide insight into the reason(s) for the value of attester_tcb_status of the platform TCB level being evaluated. To find more information about an Advisory ID (Advisory Number), search the Intel® Product Security Center Advisories page https://www.intel.com/content/www/us/en/security-center/default.html.
TCB level status of the attesting platform. Intel Trust Authority always evalutates TCB status against the latest TCB info from Intel PCS.
Status values: - UpToDate — The attesting platform is
patched with the latest firmware and software and no known security
advisories apply. - SWHardeningNeeded — The platform
firmware and software are at the latest security patching level but
there are vulnerabilties that can only be mitigated by software changes
to the enclave or TD. - ConfigurationNeeded — The platform
firmware and software are at the latest security patching level but
there are platform hardware configurations required to mitgate
vulnerabilities. - ConfigurationAndSWHardeningNeeded — Both
of the above. - OutOfDate — The attesting platform software
and/or firmware is not patched in accordance with the
latest TCB Recovery (TCB-R). - OutOfDateConfigurationNeeded
The attesting platform is not patched in accordance
with the latest TCB-R. Hardware configuration is needed. -
Revoked — The PCK certificate is revoked.
For more information: - Latest TCB Recovery Guidance document: search Intel.com Developer Resources https://www.intel.com/content/www/us/en/developer/topic-technology/overview.html#gs.6t1ftd. - Intel® SGX ECDSA Quote Library API, Section 3.6.2: https://download.01.org/intel-sgx/sgx-dcap/1.5/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf.
Initialization data in a JSON object literal containing claims that are defined and verified when the enclave is created.
Optional. Runtime_data is optional user data that can be provided along with the quote in an attestation request. The supplied data can be either JSON or binary. If runtime_data is in JSON format, it’s output in this claim. If runtime_data is in binary format, it’s output in the attester_held_data claim.
Optional. If runtime_data or user_data is provided in binary (non-JSON) format, it is output in this claim in base64-encoded format.
Optional. This claim is a JSON type. Currently, this claim is present only if the attester is an Azure TDX VM TD and the client provides optional user data in JSON format.
The attester_runtime_data, attester_held_data, and attester_user_data claims are interrelated. All are optional. These claims are present in the attestation token only if the client provides optional runtime_data with the attestation request. Runtime_data can be provided in JSON or binary format, but due to claims datatype checking performed by Intel Trust Authority, both binary and JSON can’t be output to a single claim. That’s why there are separate claims for attester_runtime_data (JSON object literal) and attester_held_data (base64-encoded binary), depending on the data type of the original data.
An Azure TDX VM is a special case, and the data claims behave
differently than as described above. The Azure TD
attester_runtime_data claim is a pre-defined JSON
object literal that is always present. The
runtime_data.user-data field always contains a SHA512 hash
of the verifier nonce (always) and user data (optional). For that
reason, a new API /appraisal/v1/attest/azure/tdxvm is
provided so that the client can supply optional user_data with the
runtime_data supplied by the Azure TD client. Optional user_data can be
in JSON or binary format. If it’s JSON, it’s output in
attester_user_data. If it’s binary, it’s output in
attester_held_data.
The following claims are specific to Intel Trust Authority.
The nonce fetched from the verifier (Intel Trust Authority) and included in the incoming request. The verifier_nonce claim supports only one nonce.
The verifier_instance_ids claim contains the service IDs of the services involved in the attestation, such as quote verification and policy evaluation. These IDs are used during faithful verification.
The following claims are associated with the policy or policies used during verification.
For more information about Intel Trust Authority policies, see Attestation Policies https://docs.trustauthority.intel.com/main/articles/concept-policies.html.
This claim contains an array of matched policy IDs (UUID) in the appraisal.
This claim contains an array of unmatched policy IDs in the appraisal.
IMPORTANT: By default, Intel Trust Authority issues an attestation token even if one or more appraisal polices are unmatched. You can change this behavior for Intel TEEs by using the policy_must_match option in the attestation request.
The policy_defined_claims claim contains the output of one or more token modification policies. This claim contains the claims defined by the token customization policies.
For more information, see Token customization policies and custom claims in the Intel Trust Authority documentation https://docs.trustauthority.intel.com/main/articles/concept-policies.html#token-customization-policies-and-custom-claims.
Intel Trust Authority supports Google Confidential Space attestation and issues a Google Confidential Space compatible token. For more information about Google Confidential Space token claims, see https://cloud.google.com/confidential-computing/confidential-space/docs/reference/token-claims.
This section contains links to resources that are helpful for understanding the terminology and concepts described in the claims. These resources provide technical details for Intel SGX and Intel TDX attestation, including the specifics of how quotes are collected and the evidence and report data structures.
Remote Attestation Procedures (RATS) Architecture RFC9334: https://datatracker.ietf.org/doc/rfc9334/
JSON Web Token (JWT) RFC7519: https://datatracker.ietf.org/doc/html/rfc7519
Entity Attestation Token (EAT) Draft: https://datatracker.ietf.org/doc/draft-ietf-rats-eat
Intel SGX DCAP Orientation Guide: https://www.intel.com/content/dam/develop/public/us/en/documents/intel-sgx-dcap-ecdsa-orientation.pdf
Intel SGX DCAP ECDSA Quote Library API: https://download.01.org/intel-sgx/dcap-1.1/linux/docs/Intel_SGX_ECDSA_QuoteGenReference_DCAP_API_Linux_1.1.pdf
Intel TDX DCAP Quoting Library API: https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf
Intel TDX Module Specification: https://cdrdv2.intel.com/v1/dl/getContent/733568
Intel TDX CPU Architecture Extensions Specification: https://cdrdv2.intel.com/v1/dl/getContent/733582
Intel® SGX and Intel® TDX Provisioning Certification Service for ECDSA Attestation: https://api.portal.trustedservices.intel.com/documentation#pcs
Intel Trust Authority Documentation: https://docs.trustauthority.intel.com/main/index.html