From 15bd589c3fd5fc674e336508220dc2381ad3393a Mon Sep 17 00:00:00 2001
From: Magnus Kulke <magnuskulke@microsoft.com>
Date: Fri, 24 Nov 2023 17:50:12 +0100
Subject: [PATCH] attestation-service: add az-tdx-vtpm verifier

- Added verification code
- Added tdx fixtures and test cases
- Reorganized snp fixtures
- Added missing dependency for tdx e2e test
- Added entry for e2e test

Co-authored-by: Xynnn_ <xynnn@linux.alibaba.com>

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
---
 Cargo.lock                                    |   1 +
 Cargo.toml                                    |   2 +-
 .../attestation-service/Cargo.toml            |   2 +-
 attestation-service/verifier/Cargo.toml       |   4 +-
 .../verifier/src/az_snp_vtpm/mod.rs           |  12 +-
 .../verifier/src/az_tdx_vtpm/mod.rs           | 146 ++++++++++++++++++
 attestation-service/verifier/src/lib.rs       |  13 +-
 attestation-service/verifier/src/tdx/mod.rs   |   4 +-
 .../hcl-report.bin}                           | Bin
 .../tpm-quote.msg}                            | Bin
 .../tpm-quote.sig}                            | Bin
 .../{az-vcek.pem => az-snp-vtpm/vcek.pem}     |   0
 .../test_data/az-tdx-vtpm/hcl-report.bin      | Bin 0 -> 2600 bytes
 .../test_data/az-tdx-vtpm/td-quote.bin        | Bin 0 -> 5006 bytes
 .../test_data/az-tdx-vtpm/tpm-quote.msg       | Bin 0 -> 126 bytes
 .../test_data/az-tdx-vtpm/tpm-quote.sig       | Bin 0 -> 256 bytes
 kbs/README.md                                 |   3 +-
 kbs/src/api/src/attestation/coco/grpc.rs      |   1 +
 kbs/test/Makefile                             |   1 +
 19 files changed, 176 insertions(+), 13 deletions(-)
 create mode 100644 attestation-service/verifier/src/az_tdx_vtpm/mod.rs
 rename attestation-service/verifier/test_data/{az-hcl-data.bin => az-snp-vtpm/hcl-report.bin} (100%)
 rename attestation-service/verifier/test_data/{az-vtpm-quote-msg.bin => az-snp-vtpm/tpm-quote.msg} (100%)
 rename attestation-service/verifier/test_data/{az-vtpm-quote-sig.bin => az-snp-vtpm/tpm-quote.sig} (100%)
 rename attestation-service/verifier/test_data/{az-vcek.pem => az-snp-vtpm/vcek.pem} (100%)
 create mode 100644 attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin
 create mode 100644 attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin
 create mode 100644 attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg
 create mode 100644 attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig

diff --git a/Cargo.lock b/Cargo.lock
index c65fb16ca..11535d30e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5222,6 +5222,7 @@ dependencies = [
  "assert-json-diff",
  "async-trait",
  "az-snp-vtpm",
+ "az-tdx-vtpm",
  "base64 0.21.6",
  "bincode",
  "byteorder",
diff --git a/Cargo.toml b/Cargo.toml
index 2bc3afc89..90ec327d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,7 +28,7 @@ chrono = "0.4.19"
 clap = { version = "4", features = ["derive"] }
 env_logger = "0.10.0"
 hex = "0.4.3"
-kbs-types = "0.5"
+kbs-types = "0.5.3"
 log = "0.4.17"
 prost = "0.11.0"
 rstest = "0.18.1"
diff --git a/attestation-service/attestation-service/Cargo.toml b/attestation-service/attestation-service/Cargo.toml
index d95fa7e9a..d3bda03d3 100644
--- a/attestation-service/attestation-service/Cargo.toml
+++ b/attestation-service/attestation-service/Cargo.toml
@@ -9,6 +9,7 @@ all-verifier = [ "verifier/all-verifier" ]
 tdx-verifier = [ "verifier/tdx-verifier" ]
 sgx-verifier = [ "verifier/sgx-verifier" ]
 az-snp-vtpm-verifier = [ "verifier/az-snp-vtpm-verifier" ]
+az-tdx-vtpm-verifier = [ "verifier/az-tdx-vtpm-verifier" ]
 snp-verifier = [ "verifier/snp-verifier" ]
 csv-verifier = [ "verifier/csv-verifier" ]
 cca-verifier = [ "verifier/cca-verifier" ]
@@ -42,7 +43,6 @@ clap = { workspace = true, optional = true }
 env_logger = { workspace = true, optional = true }
 futures = "0.3.17"
 hex.workspace = true
-# TODO: change it to "0.5", once released.
 kbs-types.workspace = true
 lazy_static = "1.4.0"
 log.workspace = true
diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml
index 9f3bd157f..afb6f8817 100644
--- a/attestation-service/verifier/Cargo.toml
+++ b/attestation-service/verifier/Cargo.toml
@@ -5,10 +5,11 @@ edition = "2021"
 
 [features]
 default = [ "all-verifier" ]
-all-verifier = [ "tdx-verifier", "sgx-verifier", "snp-verifier", "az-snp-vtpm-verifier", "csv-verifier", "cca-verifier" ]
+all-verifier = [ "tdx-verifier", "sgx-verifier", "snp-verifier", "az-snp-vtpm-verifier", "az-tdx-vtpm-verifier", "csv-verifier", "cca-verifier" ]
 tdx-verifier = [ "eventlog-rs", "scroll", "sgx-dcap-quoteverify-rs" ]
 sgx-verifier = [ "scroll", "sgx-dcap-quoteverify-rs" ]
 az-snp-vtpm-verifier = [ "az-snp-vtpm", "sev", "snp-verifier" ]
+az-tdx-vtpm-verifier = [ "az-tdx-vtpm", "openssl", "tdx-verifier" ]
 snp-verifier = [ "asn1-rs", "openssl", "sev", "x509-parser" ]
 csv-verifier = [ "openssl", "csv-rs", "codicon" ]
 cca-verifier = [ "ear", "veraison-apiclient" ]
@@ -18,6 +19,7 @@ anyhow.workspace = true
 asn1-rs = { version = "0.5.1", optional = true }
 async-trait.workspace = true
 az-snp-vtpm = { version = "0.4", default-features = false, features = ["verifier"], optional = true }
+az-tdx-vtpm = { version = "0.4", default-features = false, features = ["verifier"], optional = true }
 base64 = "0.21"
 bincode = "1.3.3"
 byteorder = "1"
diff --git a/attestation-service/verifier/src/az_snp_vtpm/mod.rs b/attestation-service/verifier/src/az_snp_vtpm/mod.rs
index 080ce08d9..d91108ba8 100644
--- a/attestation-service/verifier/src/az_snp_vtpm/mod.rs
+++ b/attestation-service/verifier/src/az_snp_vtpm/mod.rs
@@ -125,16 +125,16 @@ fn verify_snp_report(
 mod tests {
     use super::*;
 
-    const REPORT: &[u8; 2048] = include_bytes!("../../test_data/az-hcl-data.bin");
-    const SIGNATURE: &[u8; 256] = include_bytes!("../../test_data/az-vtpm-quote-sig.bin");
-    const MESSAGE: &[u8; 122] = include_bytes!("../../test_data/az-vtpm-quote-msg.bin");
+    const REPORT: &[u8; 2048] = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin");
+    const SIGNATURE: &[u8; 256] = include_bytes!("../../test_data/az-snp-vtpm/tpm-quote.sig");
+    const MESSAGE: &[u8; 122] = include_bytes!("../../test_data/az-snp-vtpm/tpm-quote.msg");
     const REPORT_DATA: &[u8] = "challenge".as_bytes();
 
     #[test]
     fn test_verify_snp_report() {
         let hcl_report = HclReport::new(REPORT.to_vec()).unwrap();
         let snp_report = hcl_report.try_into().unwrap();
-        let vcek = Vcek::from_pem(include_str!("../../test_data/az-vcek.pem")).unwrap();
+        let vcek = Vcek::from_pem(include_str!("../../test_data/az-snp-vtpm/vcek.pem")).unwrap();
         let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
         verify_snp_report(&snp_report, &vcek, vendor_certs).unwrap();
     }
@@ -146,7 +146,7 @@ mod tests {
         wrong_report[0x00b0] = 0;
         let hcl_report = HclReport::new(wrong_report.to_vec()).unwrap();
         let snp_report = hcl_report.try_into().unwrap();
-        let vcek = Vcek::from_pem(include_str!("../../test_data/az-vcek.pem")).unwrap();
+        let vcek = Vcek::from_pem(include_str!("../../test_data/az-snp-vtpm/vcek.pem")).unwrap();
         let vendor_certs = load_milan_cert_chain().as_ref().unwrap();
         verify_snp_report(&snp_report, &vcek, vendor_certs).unwrap_err();
     }
@@ -197,7 +197,7 @@ mod tests {
             signature: SIGNATURE.to_vec(),
             message: MESSAGE.to_vec(),
         };
-        let report = include_bytes!("../../test_data/az-hcl-data.bin");
+        let report = include_bytes!("../../test_data/az-snp-vtpm/hcl-report.bin");
         let hcl_report = HclReport::new(report.to_vec()).unwrap();
         let mut report_data = REPORT_DATA.to_vec();
         report_data.reverse();
diff --git a/attestation-service/verifier/src/az_tdx_vtpm/mod.rs b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs
new file mode 100644
index 000000000..da0b3acdc
--- /dev/null
+++ b/attestation-service/verifier/src/az_tdx_vtpm/mod.rs
@@ -0,0 +1,146 @@
+// Copyright (c) Microsoft Corporation.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use super::tdx::claims::generate_parsed_claim;
+use super::tdx::quote::{ecdsa_quote_verification, parse_tdx_quote, Quote as TdQuote};
+use super::{TeeEvidenceParsedClaim, Verifier};
+use crate::{regularize_data, InitDataHash, ReportData};
+use anyhow::{bail, Context, Result};
+use async_trait::async_trait;
+use az_tdx_vtpm::hcl::HclReport;
+use az_tdx_vtpm::vtpm::Quote as TpmQuote;
+use log::{debug, warn};
+use openssl::pkey::PKey;
+use serde::{Deserialize, Serialize};
+
+#[derive(Serialize, Deserialize)]
+struct Evidence {
+    tpm_quote: TpmQuote,
+    hcl_report: Vec<u8>,
+    td_quote: Vec<u8>,
+}
+
+#[derive(Default)]
+pub struct AzTdxVtpm;
+
+#[async_trait]
+impl Verifier for AzTdxVtpm {
+    /// The following verification steps are performed:
+    /// 1. TPM Quote has been signed by AK included in the HCL variable data
+    /// 2. Attestation nonce matches TPM Quote nonce
+    /// 3. TD Quote is genuine
+    /// 4. TD Report's report_data field matches hashed HCL variable data
+    async fn evaluate(
+        &self,
+        evidence: &[u8],
+        expected_report_data: &ReportData,
+        expected_init_data_hash: &InitDataHash,
+    ) -> Result<TeeEvidenceParsedClaim> {
+        let expected_report_data =
+            regularize_data(expected_report_data, 64, "REPORT_DATA", "Azure TDX vTPM");
+        let ReportData::Value(expected_report_data) = expected_report_data else {
+            bail!("unexpected empty report data");
+        };
+
+        if let InitDataHash::Value(_) = expected_init_data_hash {
+            warn!("Azure TDX vTPM verifier does not support verify init data hash, will ignore the input `init_data_hash`");
+        }
+
+        let evidence = serde_json::from_slice::<Evidence>(evidence)
+            .context("Failed to deserialize Azure vTPM TDX evidence")?;
+
+        let hcl_report = HclReport::new(evidence.hcl_report)?;
+        verify_tpm_quote(&evidence.tpm_quote, &hcl_report, expected_report_data)?;
+
+        ecdsa_quote_verification(&evidence.td_quote).await?;
+        let td_quote = parse_tdx_quote(&evidence.td_quote)?;
+
+        verify_report_data(&hcl_report, &td_quote)?;
+
+        let claim = generate_parsed_claim(td_quote, None)?;
+        Ok(claim)
+    }
+}
+
+fn verify_report_data(hcl_report: &HclReport, td_quote: &TdQuote) -> Result<()> {
+    let var_data_hash = hcl_report.var_data_sha256();
+    if var_data_hash != td_quote.report_body.report_data[..32] {
+        bail!("TDX Quote report data mismatch");
+    }
+    debug!("Report data verification completed successfully.");
+    Ok(())
+}
+
+fn verify_tpm_quote(quote: &TpmQuote, hcl_report: &HclReport, report_data: &[u8]) -> Result<()> {
+    let ak_pub = hcl_report.ak_pub().context("Failed to get AKpub")?;
+    let der = ak_pub.key.try_to_der()?;
+    let ak_pub = PKey::public_key_from_der(&der).context("Failed to parse AKpub")?;
+
+    quote
+        .verify(&ak_pub, report_data)
+        .context("Failed to verify vTPM quote")?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const REPORT: &[u8; 2600] = include_bytes!("../../test_data/az-tdx-vtpm/hcl-report.bin");
+    const SIGNATURE: &[u8; 256] = include_bytes!("../../test_data/az-tdx-vtpm/tpm-quote.sig");
+    const MESSAGE: &[u8; 126] = include_bytes!("../../test_data/az-tdx-vtpm/tpm-quote.msg");
+    const TD_QUOTE: &[u8; 5006] = include_bytes!("../../test_data/az-tdx-vtpm/td-quote.bin");
+
+    #[test]
+    fn test_verify_report_data() {
+        let hcl_report = HclReport::new(REPORT.to_vec()).unwrap();
+        let td_quote = parse_tdx_quote(TD_QUOTE).unwrap();
+        verify_report_data(&hcl_report, &td_quote).unwrap();
+    }
+
+    #[test]
+    fn test_verify_report_data_failure() {
+        let mut wrong_report = REPORT.clone();
+        wrong_report[0x0880] += 1;
+        let hcl_report = HclReport::new(wrong_report.to_vec()).unwrap();
+        let td_quote = parse_tdx_quote(TD_QUOTE).unwrap();
+        verify_report_data(&hcl_report, &td_quote).unwrap_err();
+    }
+
+    #[test]
+    fn test_verify_quote() {
+        let quote = TpmQuote {
+            signature: SIGNATURE.to_vec(),
+            message: MESSAGE.to_vec(),
+        };
+        let hcl_report = HclReport::new(REPORT.to_vec()).unwrap();
+        let nonce = "tdx challenge".as_bytes();
+        verify_tpm_quote(&quote, &hcl_report, nonce).unwrap();
+    }
+
+    #[test]
+    fn test_verify_quote_signature_failure() {
+        let mut wrong_message = MESSAGE.clone();
+        wrong_message.reverse();
+        let wrong_quote = TpmQuote {
+            signature: SIGNATURE.to_vec(),
+            message: wrong_message.to_vec(),
+        };
+        let hcl_report = HclReport::new(REPORT.to_vec()).unwrap();
+        let nonce = "tdx challenge".as_bytes();
+        verify_tpm_quote(&wrong_quote, &hcl_report, nonce).unwrap_err();
+    }
+
+    #[test]
+    fn test_verify_quote_nonce_failure() {
+        let quote = TpmQuote {
+            signature: SIGNATURE.to_vec(),
+            message: MESSAGE.to_vec(),
+        };
+        let hcl_report = HclReport::new(REPORT.to_vec()).unwrap();
+        let nonce = "wrong".as_bytes();
+        verify_tpm_quote(&quote, &hcl_report, nonce).unwrap_err();
+    }
+}
diff --git a/attestation-service/verifier/src/lib.rs b/attestation-service/verifier/src/lib.rs
index 67658734e..464aba8fb 100644
--- a/attestation-service/verifier/src/lib.rs
+++ b/attestation-service/verifier/src/lib.rs
@@ -10,6 +10,9 @@ pub mod sample;
 #[cfg(feature = "az-snp-vtpm-verifier")]
 pub mod az_snp_vtpm;
 
+#[cfg(feature = "az-tdx-vtpm-verifier")]
+pub mod az_tdx_vtpm;
+
 #[cfg(feature = "snp-verifier")]
 pub mod snp;
 
@@ -38,6 +41,15 @@ pub fn to_verifier(tee: &Tee) -> Result<Box<dyn Verifier + Send + Sync>> {
                 }
             }
         }
+        Tee::AzTdxVtpm => {
+            cfg_if::cfg_if! {
+                if #[cfg(feature = "az-tdx-vtpm-verifier")] {
+                    Ok(Box::<az_tdx_vtpm::AzTdxVtpm>::default() as Box<dyn Verifier + Send + Sync>)
+                } else {
+                    bail!("feature `az-tdx-vtpm-verifier` is not enabled for `verifier` crate.");
+                }
+            }
+        }
         Tee::Tdx => {
             cfg_if::cfg_if! {
                 if #[cfg(feature = "tdx-verifier")] {
@@ -87,7 +99,6 @@ pub fn to_verifier(tee: &Tee) -> Result<Box<dyn Verifier + Send + Sync>> {
                 }
             }
         }
-        Tee::AzTdxVtpm => todo!(),
     }
 }
 
diff --git a/attestation-service/verifier/src/tdx/mod.rs b/attestation-service/verifier/src/tdx/mod.rs
index 2b73e23a5..3b8c7dd07 100644
--- a/attestation-service/verifier/src/tdx/mod.rs
+++ b/attestation-service/verifier/src/tdx/mod.rs
@@ -10,9 +10,9 @@ use eventlog::{CcEventLog, Rtmr};
 use quote::{ecdsa_quote_verification, parse_tdx_quote};
 use serde::{Deserialize, Serialize};
 
-mod claims;
+pub(crate) mod claims;
 mod eventlog;
-mod quote;
+pub(crate) mod quote;
 
 #[derive(Serialize, Deserialize, Debug)]
 struct TdxEvidence {
diff --git a/attestation-service/verifier/test_data/az-hcl-data.bin b/attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin
similarity index 100%
rename from attestation-service/verifier/test_data/az-hcl-data.bin
rename to attestation-service/verifier/test_data/az-snp-vtpm/hcl-report.bin
diff --git a/attestation-service/verifier/test_data/az-vtpm-quote-msg.bin b/attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.msg
similarity index 100%
rename from attestation-service/verifier/test_data/az-vtpm-quote-msg.bin
rename to attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.msg
diff --git a/attestation-service/verifier/test_data/az-vtpm-quote-sig.bin b/attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.sig
similarity index 100%
rename from attestation-service/verifier/test_data/az-vtpm-quote-sig.bin
rename to attestation-service/verifier/test_data/az-snp-vtpm/tpm-quote.sig
diff --git a/attestation-service/verifier/test_data/az-vcek.pem b/attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem
similarity index 100%
rename from attestation-service/verifier/test_data/az-vcek.pem
rename to attestation-service/verifier/test_data/az-snp-vtpm/vcek.pem
diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/hcl-report.bin
new file mode 100644
index 0000000000000000000000000000000000000000..cca12d37ac75906a76e04f71b0f01a00671efb41
GIT binary patch
literal 2600
zcmeHHYp4`e9N+7`Uh-N{L}nOaTS5;fc4v2IcBR1C=j`mx?(FW}$IQj1d7Ryyotd4T
z=iXVpWJ+q07bK#T&_WQC8$w1Al|3wp>|t5>B{NAV`XZHJSz&WCA#WeT5bA^H%m06V
z|K~aX^E-GVkInP>d>a<{e6w=ydT0(XI(q#L!{>a%7vN1p`-Lap7~8k((KXv&zRTQy
z^5EIR-V<NX+&eY84M3sP<A-k1PHzuSRW?tYz3IJuKkq%h^S&o;-FRpZw{qu>1xpVf
zq!(TLzz=I*({B?-cAIa4Rg1-sYu9~t@{<Fhv2R~`eqwspI(o~I;a|>7Z`_*aK6oto
zrGyyE%roMa^;?&W(MK=z@o(ke^`|y3y{5JGm1mdCUx@y8__;e4UahbB{C>Ll#f|Up
zR_31@I)Bu8L!%d!K!!(-5R3MFG`9GwZJ!>Vx_ifww=8se;`^(jYu$AZK5~wqdH1Jx
z%wsEi!tLt|OYcly6nqJrxpglg^s>5sv-te^?H^~}K5_iO%;}M%-|gCV&#4bb>}QUF
zMW-fq9$FuJntO52&B8R|e-(_Ca=&&T-n8MeHgP4{l^d9I0|!TZz9A3u#2@knPg(7k
zfou9#On8bU`d9dI?~{`$oA)oDwXj-m*625-R@cAEgDltcDOWJh3_J}hVR29Gda5ZT
z@gRm_ZY!7;IW~w|{e;~|2vO4OT{u>tY|WrKkgK;t49fyLR%mC5lGRLL$tFw@pkF0R
zd?!CSs7ab45`jnpr5LhMEDYc@ETU>P(5V$Wb*Wq_IK+6XjKK;e+fr=Yz<D!jMIFf2
zaj2mU9E}5(o{CAJ&qoGXU=fzo&hQpUV}rP(!#135N+hB<HQv#23nz0h8BIWhE8((Q
zPYFO%_`XJ%&9q>ZI}OWmO{LUG4RCr=wQ3EXRggkZ%vmK~Xw<@zi|CwUAd{|R6!WQG
zF(rsXzM{0N0Vv3_?MAOk&`3sSGGW@FppeXod|8wla42L$2?7zyBpi&_xM+l>+zeG0
z<Y;}8(bIj?5^1R9pIZKx$)x^18PF9Bw`cvsa2&Ql0t|~&cv3GrVLn++ni-iyjarz(
z1Cx=MM1f2`4B=ITX;F$>uAn)UE5+ruLjg9|Yyr8h_tahoBPTN~o3%vSt|m}89Typ<
zY*_hvzK^xgXqQx#I>Y2Rv0V<4X&IFxa>A`MY$2(%YDK1*qKRa!G|*CcD*}`7z#Zoq
zCsPFjijt!!#^@<AtX2Xgts|zC$w<EuFSTRkb{j1jZMsDY05N5_pNWSCSP)Y)u^L9J
zSU=S=V`O09iWP^^O;HdDhUf@&+#%qcjl~*jLms&Lpb0sQND(^JOce@6gHW^Wwp&!<
z8Y+l*vO|~HY$n@}%Q@FD;7|k0;z72Ss2ExjA@rVuz||0@q~aB~uI4mD?)#@aN;oPc
zXx*mNvJK9XG>;0a{T^Uy3V=YD;}zi1$}()Q+;3=_1qr~gAggVwe9w@&md6~V%P?J<
zBZP2HuQIIbV32AHX^}2ywxdwp?0C08HcVWB0v^{)AlL?gcrTZKMUzuZFR|5A=hm8q
zdcZIx)0%DIPe(_sb|u{g*;%T?DKr_5A}AC~gb*m4MqnuBVNg00h2!Z6mPR9p_x}90
X2@FW&EY6Dw{Kv~bHRn_NA8vmK<lqDx

literal 0
HcmV?d00001

diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin b/attestation-service/verifier/test_data/az-tdx-vtpm/td-quote.bin
new file mode 100644
index 0000000000000000000000000000000000000000..2fb8f51ececc703361799af232fb20800c020a02
GIT binary patch
literal 5006
zcmeHKd$1c-84vAk3#*jg(v~6xI~{z`2ub!Pxi^lroU^a&CcDYLl57}pl1=XBvB@Sk
zk4;t(un5}0DuTm9rdF6iDg8qR29<~MupN~07(t6d#m+Exh8YK`jCIBics9AWP4B(s
zQT)@L+1br^_B-GCzVrRg@0T&p63=y>;dRTMGZRPeir;rDcJ_lmxMul^-+kd>-}deA
z9=>tsB`>V-t@ye7)si!o&wf38gqM!J#I4)?JhuL?cmDpxtGz#Z>B;uwjw{|ibL!gu
zH?H~id-*+k|NWcR!OI)^#oL69m(V9UpT>{F>xc0>|J?J`q1T_@^Um0TH}AdkvbUZa
z>+CvMT=&)$_dL5Ta#!x5-5c~B;Z2VgF)?<m{>^XQa2lch@A5ts*m3VSw3}aA`k$ja
zZoDI&+kX@JmvVUKGp(bAo44I@0j3>zAJ@Uq{#72&roBfp`yROd@h$i4Uv}S_@^hQs
zdG*~}_Z=Mj{@v%|n?65&+rPLsrUmfEl>G8d)Ax^`b>*Q|tB<rB&*r;(^ob4ow%)$t
zK`ZQCyXoPvwXfa3IlceT_Z~X-&@<VG4|A(Gy>RsxR~>!Z+%tau4}X2(ue2=<uJp4u
zxmu@R-2CMA7gw&k=RVIn(sB=tR<V5fxoelc=UMteE1nx)JNt5Y_IblGVdYbM4?h3M
zZyWh1cCFcb+mqX!j>tUr*w#Z=7cc2uIOlh&=W9DRUuE6;-SZeB_>*JA-<O_q)mr`S
zM;?D&zx<iYRw_T;dn&*Gm3@h4*~gk{_pZNP#P443?EU(mANa$TCz5YIvEkA44}M4b
z$}{6D9>08h@`EP->{lmV-F?RAHvZ|r=B-=v;+J-<W36pZeeKz68_m3P`|UelS##+*
zJN|L^fl1Bx<s+}G8UOJw(k~x5^7JnQf82h{{X56^ZS;7~Sh93%+42=<o`rqllV`6y
zXVv)XbJwh0ci#H*KXt)|3orWgGS8JOJ)TS53sMX#Y$Pa2VQH2C3N^4|Jj+s33PC`w
zXaJjqz+h8=3tH2ObfJ=r#PZdK!8^=!IaRHLR*K<)#Slc3k@;W*0-nJ5DCn^jU_e7i
zAp_5-W~acUS}ZL@(*zVnf6GvrUa7!jyL!!Uh<>WaRDd@8-r_N8&VdrTdL5#VXn!sp
z>F|<hQ-(&SL@`Q&wxXp&eocmCo}v4iLdAJdWk5isFap?wJ1gM;ZaAx^05hfVFqk0~
z*5S!&k9S!2c6if5Hr^h!VaRCfBvs}KFqje8c2-8wvT55;{RNGsAu0DEnayx$W!Z*?
z)BdbN<#=e!uE4ORIR_Ds^mQiE*D_Kgj|Y1+3FP6bbe;$ZrF>l~v6Rr#GF*ulTWIMT
ziJ=@>5^$tAk{2xTL@LGGX$2_I(3_=dC6N?a2n}QQorlmC2mquA)(NU?!fXc#(w7K%
z+aw{HPN*GMsufT&TV&OzrizkK!f_>MM2kEpb7rzu#T}qF#ff;ffmNEg=FRo^fWz6E
z7I(tawS*O9Ns=T`eGNNmqn(ia6%^j4Eufm|NWsbb^TDDCWWBCp5i*$oDLp=6igs@J
z@ib&aTdP3BqQgdp&E|4Z$*)KGaJ(NW=}fg#h;jjaLNc>a!Nl~sTiKKouMHb0UK6@`
zIpSm|j4rbG3yfLIr3KVTW;b7s-~th`HN0KXYqn3rsR*W@=(1Wi9jfGUv;#Fgl4VkT
z9{Sy_Dv*YlhETFNBAG18y%>yJR+A0KO0BdXlY?Y=Mga+TyQ1P01k+QL+vBhWY!VFe
zSAZDxLBQI;txKiK5Hi97n-3}?C16052~f6d!(eNu`xv5pVi1TFMZwI}jA)yaA+r(3
zDPJaT_sYOP-_vfDnpmk?X1tUik|ISQWJ1*eA~afPzfahK+XIzF>;?<5MF(71FXDjG
zSYXH8$Ph&Ui$sPf0zeg*zar=cAcyvoQXt$2i%dkg0cIUWQzP6I79ALgFzP_M0p?9K
zNP#>>1kz1mo`ah*ITGNc6sScaxDFHwfDWAL`L&=7QN*C35y0Rf06aK;4We43TS=lF
z0BAL;yZ0k$Q5XaoFqkPCIoqVI#bQ>LEp<x*5d9E}mb(kZc}@&Ot=dXtCWx%Bj}=<6
zj+U8X3?rQ7DREvW>b9`3AEKy3p>KA#Mr#lS27<xDqD6r{aEP5akwg+00t-k;W1vg{
zZ`dJnamk$Ff=Z;LHiP~dS&k$--k#UY(t4|_(J6uP*1DY_!7>UTS7BJ~bbN|e_F-%&
zo@;ctLZwZ#`i(-e8k-bD9ZSb)hQ<cuMG53WLK}>nn(PR(;sO^RA-hyJqvH|A8*PYG
zoeLyI$1&&(5ecaa$&N8b$cyKXbJvjU<UAhnqr)BYl4UdQi6M$HR16Ls`evShB$l7x
zY;+F~u?nT~kR4D6wC%Wx(}+1y1L3`rUK`~z192Ui6tM;7(gm88p=>UNPKP3G`+Erz
z1o#To<4M)#6_`Udhj&i4&CxXK&C}!Qxl}Qf-)Zsm98F^jc$%)-l&wYGCU+`+0*D$r
z`;MAUCq)BLf((6=Z9HIR<OGHj9jDQ=Cxb-}PU2LbWQ=rZCPTD)csr%Uo8eNd8g{&D
zS;`XirZm}TCAvnFM(4d*Q%ugpib}1Fr!{AynSdRKfF05WGCK5So?=LlHlSF}icUJ+
z@cYZt39`+l<Zb}u6SB_CkWd~JF)B?_vI9AuDjHG_lBFtb6{3=@J61Q23#ML|8rhmz
zK|;XP`yszxPdP{!RdvK=SOE=WGkhmElo=fjkF?|dA@RAAL#;)+1=L9K8gj0H!jO`J
z6m5tD>cvL6ca(ZbS20Qc<dCOaJW|YTlNBfzueQkYNPS_5+)$;FbTW=tn?eGRlx$#2
zfHg9$RJH84z2$I9W6~2U?Zfd-E>rYt99apdMXV0IN`(yM$|0R#2`wLxL5&Rcs?$oU
z(Y1oA)i29hZ-z|AYpR6s9T8&v>7?NO7}%{iE_UTP?5b={<pXB3Ah31En3PlMOhjay
zY8^K1`FYt`jy$2*kit7I*oF#^>*goK1>$tB>D``30_CHN)48U1dwv#rqvDhbBFy%A
zg|Y=w?eVlLPQ?)KidJ+BN;Qy3S@zt@F<0)M&eG>rj(rqeJ-YPap`j_*Kv#bVyb|F$
zg+w;1WfK)&Ihk$|PL7I|C$T`HoRH%ZT}m^Rd>y8^=~TU{1v?XLrAi{<>F0ZiV6EBe
zYZVjbOeLlD=p^3aU@YXAu>{0U2d@M4%)%8r9lVah6+?duJ`!H%cPTd7rXLosL%33d
zw#H^p#{phtgki~GOCXW<g~Y1ll_Nx1CUwEG?06?B#an4++NYH#895UPBK5A=#(<oI
yoZp;@T71i!u|k%wl?f*zV!9WVKsT#0iGn0f>fNT4$u-$6?}OP7`jh)1$NvlHo^IFx

literal 0
HcmV?d00001

diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg b/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.msg
new file mode 100644
index 0000000000000000000000000000000000000000..6653c5d5dd96239361531f106f08c11320f972f0
GIT binary patch
literal 126
zcmew#;_Tia!Jx#z{nm43>yC5RrFk9v>bdS~)cp!K-|~B2y(h!f<C}j9`1&&NmZVfD
zBxfY%<fP`Mr!s&*f<OR}WCSr86%?3-7=##@!2;aO|NsAIP}r;gaDIKb_EyDDF;4y0
YZIv8Oimku$>vJ!=(+<ssOOp=*0O1)dvj6}9

literal 0
HcmV?d00001

diff --git a/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig b/attestation-service/verifier/test_data/az-tdx-vtpm/tpm-quote.sig
new file mode 100644
index 0000000000000000000000000000000000000000..7f137dd0bbb15f6c706e6b4619df4637b9f63a40
GIT binary patch
literal 256
zcmV+b0ssDc)*V9HK~6Hmy2|#+2!+qf(OycGQ|qn{rp;&sb}mf@qA<Rw06fyb70=9$
zbgiG%PC8K^hyzS*`QbhdS@2S~pfoc!I~gBsX$_({m>4v8GSiAy!dLWdDWSlI<qx!{
z<2y7D?hC<!^!})nm=|L(4To~FX(U-%4bX+V8vS7$c+fIcP=y!`=)66qDW{Ii#Q(D{
zXyLi<Wdy$VK6qzM``}Ux2drbnJX+1+<*6ggD&23x{?xs4G&}ltIx~Lo$1is$hdmwi
zVeF608Hv}Cf;>!ps=V(RJBD0CL|7?Gyp2MUJZ~JV9D<bcCEpPM@z$7GQSuZ6Lf(<$
GHYDlGF?+25

literal 0
HcmV?d00001

diff --git a/kbs/README.md b/kbs/README.md
index dbfa7653a..ed8ab5a6d 100644
--- a/kbs/README.md
+++ b/kbs/README.md
@@ -10,7 +10,8 @@ This project relies on the [Attestation-Service (AS)](https://github.com/confide
 The following TEE platforms are currently supported:
 
 - AMD SEV-SNP
-- Azure SNP vTPM
+- Azure SEV-SNP vTPM
+- Azure TDX vTPM
 - Intel SGX
 - Intel TDX
 
diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs
index d37b215e7..0121b057a 100644
--- a/kbs/src/api/src/attestation/coco/grpc.rs
+++ b/kbs/src/api/src/attestation/coco/grpc.rs
@@ -31,6 +31,7 @@ pub const COCO_AS_HASH_ALGORITHM: &str = "sha384";
 fn to_grpc_tee(tee: Tee) -> GrpcTee {
     match tee {
         Tee::AzSnpVtpm => GrpcTee::AzSnpVtpm,
+        Tee::AzTdxVtpm => GrpcTee::AzTdxVtpm,
         Tee::Cca => GrpcTee::Cca,
         Tee::Csv => GrpcTee::Csv,
         Tee::Sample => GrpcTee::Sample,
diff --git a/kbs/test/Makefile b/kbs/test/Makefile
index c75dd9d69..0a72ae80d 100644
--- a/kbs/test/Makefile
+++ b/kbs/test/Makefile
@@ -25,6 +25,7 @@ install-dependencies:
 	sudo apt-get install -y \
 		build-essential \
 		clang \
+		libsgx-dcap-default-qpl \
 		libsgx-dcap-quote-verify-dev \
 		libtdx-attest-dev \
 		libtss2-dev \