Intel® Trust Authority Client Tutorial — vTPM with Intel® TDX Attestation on Microsoft Azure

· 7/14/2025 ·

This tutorial provides steps to use the Intel Trust Authority Attestation Client CLI to attest evidence from a virtual Trusted Platform Module (vTPM) on Microsoft Azure. vTPM evidence can be remotely attested by Intel Trust Authority to verify boot time measurements (ex. the kernel image that was loaded) and runtime file measurements (using Integrity Measurement Architecture (IMA)).

Prerequisites

  • An Azure account with permissions to create a confidential TDX VM. Note: this tutorial assumes that Azure CVM is created with "vTPM enabled".
  • Access to Intel Trust Authority portal and an api key (referred to as ITA-API-KEY below).

Deploy and configure the Intel Trust Authority CLI

Follow the instructions to install the latest Attestation Client CLI and create the following config.json containing Azure specific vTPM configuration...

{
    "cloud_provider": "azure",
    "trustauthority_url": "https://portal.trustauthority.intel.com",
    "trustauthority_api_url": "https://api.trustauthority.intel.com",
    "trustauthority_api_key": "{{ATTESTATION-API-KEY}}",
    "tpm": {
        "ak_handle": "81000003"
    }
}
Note

The portal and API URLs for Intel Trust Authority differ by your region (US vs EU). Use the right URLs for your region:

Region BaseUrl ApiUrl
World/US https://portal.trustauthority.intel.com https://api.trustauthority.intel.com
EU https://portal.eu.trustauthority.intel.com https://api.eu.trustauthority.intel.com

Key-Points:

  • cloud_provider must be azure.
  • The tpm section must be provided and contain the Microsoft Paravisor defined ak_handle value of 81000003.

Verifying vTPM quotes and viewing PCR claims

When Intel Trust Authority verifies vTPM evidence, it compares the vTPM quote signature using the public portion of an Attestation Key (AK) created by Microsoft Paravisor. This AK public key is embedded in the Intel TDX quote's runtime data and for this reason, verifying Azure vTPM evidence also requires the collection of TDX evidence (i.e., the verification of Azure vTPM evidence will fail if TDX evidence is not included). Use the following command to collect an Intel Trust Authority attestation token containing vTPM PCR values from the Azure guest.

trustauthority-cli token --tdx --tpm -c config.json
Note

The user executing the Intel Trust Authority Attestation Client must have Read/Write permissions to /dev/tpmrm0 (i.e., the vTPM device). By default, these permissions are granted to the Azure TD users via the tss group.

When remote attestation is successful the attestation token (JWT) returned by Intel Trust Authority will contain a tpm section containing PCR digest values. Attestation claims can be viewed using online JWT tools. For example:

{
  "tdx": { ...TDX claims... },
  "tpm": {
    "pcrs": [
      {
        "alg": "SHA-256",
        "digest": "2ade7023eeec...296337abced",
        "index": 0
      },
      ...other PCR digests
    ]
  }
}

UEFI event logs claims

While PCR measurements are used to establish a cryptographic "chain of trust", they are not entirely useful in isolation. The following command uses the --evl option to verify and include UEFI event-log claims that can be used to appraise boot time information such as the state of secure boot or the loaded kernel image digest.

trustauthority-cli token --tdx --tpm --evl -c config.json 

{
  "tdx": { ...tdx claims... },
  "tpm": {
    "pcrs": [ see pcrs above ],
    "uefi_event_logs": [
      {
        "details": null,
        "digest_matches_event": true,
        "digests": [
          {
            "alg": "SHA-256",
            "digest": "16a296d224f2...8630a09cfc7"
          }
        ],
        "event": "AAA=",
        "index": 0,
        "type": 8,
        "type_name": "EV_S_CRTM_VERSION"
      },
      ...other UEFI event log entries
    ]
  }
}
Note

The user executing the Intel Trust Authority Attestation Client must have Read permissions to /sys/kernel/security/tpm0/binary_bios_measurements when collecting UEFI event-log evidence using the --evl option.

IMA logs

By default, Azure TDX CVMs are configured with IMA enabled. The following command uses the --ima option to collect IMA logs.

trustauthority-cli token --tdx --tpm --ima -c config.json 

{
  "tdx": {tdx claims},
  "tpm": {
    "pcrs": [see pcrs above],
    "runtime_measurements": [
      {
        "alg": "SHA-256",
        "cumulative_digest": "532ffcf4b8b...fdbcab2dc24",
        "index": 10,
        "measurements": [
          {
            "digest": "3d4b43b7b0...d5ebbe98",
            "file_path": "boot_aggregate"
          },
          {
            "digest": "dccd535...33f8265eab",
            "file_path": "/usr/lib/modules/6.8.0-1030-azure/kernel/fs/autofs/autofs4.ko"
          },
          other IMA log entries...
        ]
      }
    ]
  }
}
Note

The user executing the Intel Trust Authority Attestation Client must have Read permissions to /sys/kernel/security/ima/ascii_runtime_measurements when collecting IMA evidence using the --ima option.

Conclusion

This tutorial demonstrated how to deploy, configure and run the Intel Trust Authority Client CLI to verify TDX and vTPM evidence from Azure. It also summarized how to collect auxiliary vTPM evidence (UEFI/IMA logs) and view their token claims which can be compared during appraisal (see Attestation Policies). Please see client libraries for more information on integrating Intel Trust Authority directly into your workloads and applications.