About attestation with Intel SGX or TDX for Virtual Servers for VPC

Select availability

Attestation is a validation process that that makes sure that a runtime environment is instantiated in an encrypted SGX or TDX enclave on a system with a known security configuration. Data Center Attestation Primitives (DCAP) from Intel facilitates Attestation.

Confidential computing profiles are available in the Dallas (us-south), Washington DC (us-east), and Frankfurt (eu-de) regions. Confidential computing with Intel SGX for VPC is Dallas (us-south), Washington DC (us-east), and Frankfurt (eu-de). Confidential computing with Intel TDX for VPC is available only in the Washington DC (us-east) region. If you want to create a virtual server instance with a confidential computing profile and TDX, you can create that virtual server instance only in the Washington DC (us-east) region. You can’t create a virtual server instance with TDX in any other region, including Dallas (us-south) and Frankfurt (eu-de). For more information, see Confidential computing known issues. Confidential computing is only available with select profiles. For more information, see Confidential computing profiles.

Intel SGX helps protect data that is in use through application isolation technology. Intel TDX helps protect data that is in use through virtual machine isolation technology. By using these features, developers can protect the integrity and confidentiality of their code and data.

Enabling attestation for SGX

The PCK certificate is available in the SGX virtual server, so you don't need to procure it from a PCCS service. This certificate is at /root/.dcap-qcnl/*.

Install DCAP and QCNL packages as specified by Intel.

Install DCAP version 1.19 or greater since previous versions do not support locally cached certificates.

Reconfigure AESM to use the locally cached PCK certificate and restart the service as shown in the following example.

 Configure  /etc/sgx_default_qcnl.conf
 "use_secure_cert": false
 "local_cache_only": true

 and restart aesmd

 systemctl restart aesmd

A non-root user must copy the /root/.dcap-qcnl/* directory to their $HOME directory to use DCAP.

Enabling attestation for TDX

To enable attestation for TDX, follow the Intel instructions Trust Domain at Runtime.

SGX and TDX documentation from Intel

For more information about SGX and TDX, see the following links.

SGX

For DCAP, see Intel® SGX Data Center AttestationPrimitives Intel® SGX DCAP.
For attestation by using DCAP, see Quote Generation, Verification, and Attestation with Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP).
For DCAP installation, see Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP) - A Quick Install Guide.
For the Attestation verification service, see Intel® Trust Authority.

TDX

For TDX, see Intel TDX Enabling Guide.
For TDX remote attestation, see Intel TDX Remote Attestation.