· 07/03/2025 ·

Trust Domain Integrity Overview

Trust Domain Integrity (TD Integrity) is a feature of Intel Trust Authority that helps you verify the security posture of a Trust Domain (TD) running on Intel Xeon processors with Intel TDX. TD Integrity extends the chain of trust from the TDX hardware root of trust (HRoT) to its bios and kernel. This ensures a consistent and trusted environment for confidential workloads, safeguarding against potential vulnerabilities. TD Integrity works with cloud-based CVMs supported by Intel Trust Authority, currently Microsoft Azure and Google Cloud Platform CVMs.

What is a Trust Domain?

A Trust Domain (TD) is a virtual machine (VM) with its memory and CPU state protected from the underlying hardware using hardware isolation and memory encryption. Intel TDX provides this isolation. Some components of TD integrity (the immutable TCB) are validated by comparison to Intel Provisioning Certificate Service collaterals. Other components like the kernel and BIOS/UEFI are mutable and must be measured at boot and verified against "known-good" or "golden" reference measurements.

The mutable and measurable portions of the TD "chain of trust" vary by cloud platform. The platform differences and methods of establishing cloud-based TD integrity are explained below in Cloud-Specific Chains of Trust.

How it works

The diagram below summarizes how TD Integrity leverages Intel Trust Authority to extend the chain of trust to a TD’s bios and kernel. Cloud-based Intel TDX CVM attestation diagram Key Points:

  1. TD Integrity requires bios/kernel reference values (i.e., golden measurements) that are used during remote attestation and appraisal. See TD Integrity Reference Values below.
  2. Those reference values must be included in your appraisal policy and deployed to Intel Trust Authority. See TD Integrity Policy Creation below.
  3. At attestation time, evidence must be collected from the TD and remotely attested by Intel Trust Authority. This document uses the Attestation Client CLI to illustrate that process. Please refer to Client Integration Reference for information on how to integrate the Attestation Client CLI into your workloads.
  4. Intel Trust Authority verifies the integrity of evidence, performs policy appraisal and returns signed appraisal results that includes information describing the security posture of the TD (i.e., that can be used by relying parties to release secrets, for auditing, etc.).

Cloud-Specific Chains of Trust

TD Integrity extends the chain of trust across Azure and GCP by cryptographically verifying evidence (attestation) and comparing known-good reference values (appraisal). This section provides background on evidence collection and remote attestation to clarify how TD Integrity establishes a chain of trust across these difference cloud providers.

Azure

Azure exposes Intel TDX quotes and boot event logs via Paravisor and vTPM. The diagram and table below summarize evidence collection and the cryptographic chain of trust established by TD Integrity.

Azure CVM chain of trust

Component Evidence Source Verification
Intel TDX Collected from Paravisor vTPM. Intel Trust Authority verifies TDX quotes (HRoT) against Intel PCS collaterals, ensuring the TD is running in a valid/encrypted TEE.
vTPM Signed vTPM quotes and PCRs. Intel Trust Authority verifies vTPM quotes against the Paravisor provisioned attestation key (AK) that included in TDX runtime-data.
Virtual BIOS TDX quotes TD Integrity compares the TDX MRTD measurement against a list of known-good reference values provided in rego appraisal policies.
Secure Boot Event Logs Intel Trust Authority verifies (replays) the native, vTPM event logs and the status of secure-boot is extracted by TD Integrity.
Kernel Event Logs Intel Trust Authority verifies (replays) the native, vTPM event logs and TD Integrity compares kernel measurements against a list of known-good reference values provided in rego appraisal policies.

GCP

GCP exposes Intel TDX quotes via "configfs" and boot event logs via "confidential computing event logs" (CCEL) that are extended to TDX RTMRs. The diagram and table below summarize evidence collection and the cryptographic chain of trust established by TD Integrity.

GCP CVM chain of trust

Component Evidence Source Verification
Intel TDX Collected via "configfs". Intel Trust Authority verifies TDX quotes (HRoT) against Intel PCS collaterals, ensuring the TD is running in a valid/encrypted TEE.
Virtual BIOS TDX quotes TD Integrity compares the TDX MRTD measurement against a list of known-good reference values provided in rego appraisal policies.
Secure Boot Event Logs Intel Trust Authority verifies (replays) the CCEL event logs against TDX RTMRs and the status of secure-boot is extracted by TD Integrity.
Kernel Event Logs Intel Trust Authority verifies (replays) the CCEL event logs against TDX RTMRs and TD Integrity compares kernel measurements against a list of known-good reference values provided in rego appraisal policies.

TD Integrity Reference Values

To establish a chain of trust, your appraisal policy will require reference values that TD Integrity compares against bios and kernel measurements. These golden measurements must be included in a user defined rego policy and deployed to the Intel Trust Authority (via the portal, REST API, or Tenant CLI). See Attestation Policies for more details about appraisal policies and their deployment.

TD Integrity supports two options for extending the chain of trust to the kernel...

Option Required Reference Values Description
Bios & Secure Boot MRTDs MRTD reference values are used to verify the TD’s virtual bios. When "enabled", secure boot verifies the signature of the loaded kernel image.
Bios & Measured Boot MRTDs, kernel digests MRTD reference values are used to verify the TD’s virtual bios. The policy’s kernel reference value is compared against the kernel measurement extracted from event logs.

Minimally, TD Integrity requires one MRTD reference in your appraisal policy. There are two ways to so…

  1. You collect reference values from known-good CVMs by using the Intel Trust Authority CLI. For more information and instructions for how to collect your own reference measurements, see the trustauthority-td-integrity repo.
  2. For GCP CVMs only, you can import GCP Reference Integrity Measurements (RIM) catalog values. GCP RIM measurements are provided by Google. For more information, see GCP RIM Service.

Kernel measurements for measured boot are not provided by cloud service providers and must be collected manually (see trustauthority-td-integrity).

TD Integrity Policy Creation

Once reference values have been collected, they must be passed to the TD Integrity catalog policy in the intel.ita.tdi rego namespace in a user-define attestation policy. For more general information about creating policies in Intel Trust Authority, see Attestation policies.

The following example shows the options for input reference values. At a minimum, your policy must contain at least one mrtds key/value pair. kernel_digests are optional if secure boot "enabled" status is deemed sufficient (shown below).

The following rego example shows the options for input reference values.

import rego.v1

my_reference_values := {
  "mrtds": [
    {
      "key": "94c0df4d903245...233c6f103d003b14",
      "value": {
        "bios_release": "4.1",
        "cloud_provider": "azure"
      }
    }
  ]
}

# pass the reference values to the TD Integrity catalog policy
results := data.intel.ita.tdi.appraisal_results(my_reference_values)

# compare the results from TD integrity to determine if the token's "policy_ids_matched" is true/false
default matches = false
matches = true if {
  results.mrtd != {}                # not empty indicates an MRTD matched
  results.secure_boot == "enabled"  # secure boot is enabled
}

# "export" the results to the token's "policy_defined_claims"
export := {
  "appraisal_results": results
}
  • data is a rego keyword needed to reference the intel.ita.tdi catalog policy namespace.
  • appraisal_results is a rego function in the intel.ita.tdi namespace.
  • results is an object with properties for mrtd (the matched MRTD key/value) and secure_boot(with status "enabled", "disabled" or "unknown").
  • The example uses the matches rule to determine the results of the token's claims policy_ids_matched claim. It ensures that at least one mrtd reference value matched using != {}. It also confirms that secure_boot is enabled. If these conditions do not match, the attestation token will include the policy id in policy_ids_unmatched.
  • export is used to include the TD Integrity appraisal_results JSON (i.e., the matching key/value objects) in the attestation token's policy_defined_claims section.

Key Points:

  • The policy must include at least one MRTD measurement. kernel_digests are optional and can be used for "measured boot".
  • The user-defined policy is responsible for comparing the appraisal results to determine if the policy "matched".
  • Reference values are arrays of key/value objects (more than one can be provided in a policy); "values" can include metadata that provide context about the measurement (ex. cloud service provider, kernel version string, etc.).

TD Integrity Walkthrough

The following instructions demonstrate TD Integrity using trustauthority-cli on Azure and GCP TDX confidential VMs.

Prerequisites

  • Access to Intel Trust Authority portal
  • trustauthority-cli (v1.9+)
  • Reference measurements (MRTD, kernel digests)

Creating a TD Integrity Appraisal Policy

  1. Sign in to the Intel Trust Authority portal.
  2. Create a new policy containing reference values as described in TD Integrity Reference Values and TD Integrity Policy Creation above. Note the id of the policy for use in the steps below.
  3. Link the TD Integrity Policy created in the previous step to an Attestation API Key so that it is automatically evaluated at attestation time. Note the API-Key for use in the steps below.

Attesting Azure CVMs with Intel TDX

  1. Create an Azure CVM with Intel TDX. See Creating a VM with Intel TDX on Microsoft Azure.
  2. Install trustauthority-cli: 
    curl https://raw.githubusercontent.com/intel/trustauthority-client-for-go/main/release/install-tdx-cli.sh | sudo bash -
  3. Create a config.json for Azure: 
     {
   "cloud_provider": "azure",
   "trustauthority_url": "https://portal.trustauthority.intel.com",
   "trustauthority_api_url": "https://api.trustauthority.intel.com",
   "trustauthority_api_key": "{{API-KEY}}",
   "tpm": {
     "ak_handle": "81000003"
   }
 }
  4. Collect evidence and request a token: 
    sudo trustauthority-cli token --tdx --tpm --evl -c config.json
  5. The attestation token claims produced by the previous step can be viewed using online JWT tools. When TD Integrity is successful, the id of the policy will be included in the policy_ids_matched element in the attestation token claims (otherwise it will be listed in the policy_ids_unmatched). appraisal_results will be included in the policy_defined_claims element.

TD Integrity for GCP CVMs with Intel TDX

  1. Create a GCP CVM with Intel TDX. For more information, see Creating a CVM with Intel TDX on GCP.
  2. Install trustauthority-cli (v1.9+), run the following command: 
    curl https://raw.githubusercontent.com/intel/trustauthority-client-for-go/main/release/install-tdx-cli.sh | sudo bash -
  3. Create a config.json for GCP: 
     {
   "trustauthority_url": "https://portal.trustauthority.intel.com",
   "trustauthority_api_url": "https://api.trustauthority.intel.com",
   "trustauthority_api_key": "{{API-KEY}}"
 }
  4. Collect evidence and request a token: 
    sudo trustauthority-cli token --tdx --ccel -c config.json --no-verifier-nonce
  5. The attestation token claims produced by the previous step can be viewed using online JWT tools. When TD Integrity is successful, the id of the policy will be included in the policy_ids_matched element in the attestation token claims (otherwise it will be listed in the policy_ids_unmatched). appraisal_results will be included in the policy_defined_claims element.

* Other names and brands may be claimed as the property of others.