Skip to content

Updates TD report field descriptions #413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Updates TD report field descriptions #413

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
daf7605
Updates TD report field descriptions
Ruteri Sep 19, 2025
0b45bd9
Adjusts wording & updates mrsignerseam
Ruteri Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions specs/flashtestations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,9 +233,9 @@ The TD Report includes the core information used for attestation of the TDX Quot
```python
class TDReport():
TEETCBSVN: Bytes16
MRSEAMSVN: uint16
MRSIGNERSEAM: Bytes48
MRSEAM: Bytes48
SEAMATTRIBUTES: bytes8
MRSIGNERSEAM: Bytes48
MRTD: Bytes48
RTMR: List[Bytes48, size=4]
MROWNER: Bytes48
Expand All @@ -248,17 +248,17 @@ class TDReport():

**Field descriptions:**

- `TEETCBSVN`: TEE Trusted Computing Base Security Version Numbers (SVNs); indicates platform patch level.
- `MRSEAMSVN`: Security Version Number of the TDX module (SEAM).
- `MRSIGNERSEAM`: Measurement of the TDX SEAM module's signer (Intel).
- `MRSEAM`: Measurement of the TDX SEAM module itself.
- `MRTD`: Initial TD measurement (boot loader, initial data).
- `RTMR`: Runtime measurements (linux kernel, initramfs, etc.).
- `MROWNER`: Measurement register that takes arbitrary information and can be set by the TEE infrastructure operator before the startup of the VM
- `TEETCBSVN`: TEE Trusted Computing Base Security Version Numbers (SVNs); indicates platform patch level. Checked against onchain collateral.
- `MRSEAM`: Measurement of the TDX SEAM module itself. Checked against onchain collateral.
- `SEAMATTRIBUTES`: TDX SEAM module attributes. All zeroes in production mode, checked against onchain collateral.
- `MRSIGNERSEAM`: Measurement of the TDX SEAM module's signer (Intel). Checked against onchain collateral.
- `MRTD`: Initial TD measurement (boot loader, initial data). Should be part of the WorkloadId.
- `RTMR`: Runtime measurements (linux kernel, initramfs, etc.). Should be part of the WorkloadId.
- `MROWNER`: Measurement register that takes arbitrary information and can be set by the TEE infrastructure operator before the startup of the VM. Currently not used.
- `MROWNERCONFIG`: same as `MROWNER`
- `MRCONFIGID`: same as `MROWNER`
- `TDAttributes`: Attributes describing the security properties and configuration of the Trust Domain.
- `XFAM`: Extended Features and Attributes Mask, indicating which CPU extended features are enabled for the Trust Domain.
- `TDAttributes`: Attributes describing the security properties and configuration of the Trust Domain. It's important to verify debug and performance measurements flags are not set.
Copy link

@Melvillian Melvillian Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's important to verify debug and performance measurements flags are not set

Why?

Please add a sentence explaining what will happen if those flags are set. It's not clear to readers why this is true, so it feels ominous (like saying "don't re-use k values in ECDSA" and then Sony goes and re-uses k values because they don't know what the impact of doing that is).

- `XFAM`: Extended Features and Attributes Mask, indicating which CPU extended features are enabled for the Trust Domain. It's important to verify which flags are set.
Copy link

@Melvillian Melvillian Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's important to verify which flags are set.

Same spirit of comment as above. Please explain it further, because right now it's not clear what why this is important.

- `ReportData`: Confidential-VM defined data included in the report (e.g., public key hash).
Copy link

@Melvillian Melvillian Sep 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you update ReportData's description as well? It's not just a public key hash anymore; it's a hash of arbitrary bytes data defined by the workload, used to allow the workload to attest to arbitrary data (such as a TEE-specific public key, workload constructor arguments, etc...


### **`DCAPEndorsements`**
Expand Down
Loading