The Intel TDX attestation sample app is a Java application that uses the Intel Trust Authority Attestation Java Client packages to get an attestation token from Intel Trust Authority. The application runs inside an Intel TDX trust domain (TD). When run, it collects a quote from the TD and sends it to Intel Trust Authority to retrieve a token.
┌────────────────────────────────────────────────┐
│ ┌──────────────────────────────────────┐ │
│ │ Docker Container │ │
│ │ │ │
│ │ ┌──────────────────────────┐ │ │
│ │ │TDX Attestation Sample App│ │ │ ┌────────────────┐
│ │ └──────────────────────────┘ │ │ │ │
│ │ │ │ │ │
│ │ ┌──────────────────────────┐ │◄───┼───────────────►│ INTEL TRUST │
│ │ │ connector-1.0.0.jar │ │ │ │ AUTHORITY │
│ │ └──────────────────────────┘ │ │ │ SERVER │
│ │ │ │ └────────────────┘
│ │ ┌──────────────────────────┐ │ │
│ │ │ tdx-1.0.0.jar | | |
│ │ └──────────────────────────┘ │ │
│ │ │ │
│ └──────────────────────────────────────┘ │
│ │
│ TD VM │
└────────────────────────────────────────────────┘
The diagram above depicts the components used in the Intel TDX attestation sample app while running within a Docker container. The example can also be run directly inside a TD vm (provided the appropriate dependencies like Intel SGX DCAP have been installed).
The Intel TDX Attestation Sample App can be encapsulated as a container, enabling it to be executed in containerized environments.
Follow the steps below for installing both docker and docker-compose. They are essential tools for running these applications within Docker containers.
-
Use Docker version 20.10.17 or later. Refer to the guide at https://docs.docker.com/engine/install/ubuntu/ for detailed instructions on Docker installation.
-
Use docker-compose version 1.29.2 or later. Follow the steps outlined at https://docs.docker.com/compose/install/linux/#install-the-plugin-manually for installing docker-compose.
-
Update
MAVEN_PROXY_HOSTandMAVEN_PROXY_PORTif running behind a proxy in .env.
-
After
Dockeranddocker-composeare installed, build the Docker image with the following command:docker-compose --env-file ../.env build
-
After the image is built using the
docker-compose buildcommand, theTDX Attestation Sample Appcan be run using the following commands.# Creating tdx_token.env file cat <<EOF | tee tdx_token.env HTTPS_PROXY_HOST=<https-proxy-host> HTTPS_PROXY_PORT=<https-proxy-port> TRUSTAUTHORITY_BASE_URL="https://portal.trustauthority.intel.com" TRUSTAUTHORITY_API_URL="https://api.trustauthority.intel.com" TRUSTAUTHORITY_API_KEY=<trustauthority-api-key> TRUSTAUTHORITY_REQUEST_ID=<trustauthority-request-id> TRUSTAUTHORITY_POLICY_ID=<trustauthority-policy-id> TOKEN_SIGNING_ALG=<token-signing-alg> POLICY_MUST_MATCH=<true/false> ADAPTER_TYPE=<intel/azure> RETRY_MAX=<max-number-of-retries> RETRY_WAIT_TIME=<max-retry-wait-time> LOG_LEVEL=<log-level> EOF
[!NOTE]: Adapter type can be either
intelorazure. Theinteladapter is used for running the sample app in non-Azure platforms or VMs, while theazureadapter is used for running the sample app in Azure platforms or VMs.
-
For running JAVA client in non Azure platforms or VMs.
# Use docker to run the TDX Sample App... docker run \ --privileged \ --rm \ --network host \ -v /sys/kernel/config:/sys/kernel/config \ --env-file tdx_token.env \ trust-authority-java-client-tdx-sample-app:v1.2.0 -
For running JAVA client in Azure platforms or VMs.
# Make sure the Intel(R) TPM driver device is set with the following permissions: # crw-rw---- 1 tss tss 253, 65536 Sep 24 03:59 /dev/tpmrm0 # crw-rw---- 1 tss tss 10, 224 Sep 24 03:59 /dev/tpm0 # Use docker to run the TDX Sample App... sudo docker run \ --rm \ --network host \ --device=/dev/tpm0 --device=/dev/tpmrm0 \ --env-file tdx_token.env \ --group-add $(getent group tss | cut -d: -f3) \ trust-authority-java-client-tdx-sample-app:v1.2.0
Note
- The proxy setting values for
HTTPS_PROXY_HOSTandHTTPS_PROXY_PORThave to be set by the user based on the system proxy settings. - The example above uses one such proxy settings and this can vary from system to system.
If the sample app is successful, it will display the token and other information.
- Compile the latest version of
connectorandtdxwith the following command.
cd ../../ && \
mvn -X -e clean compile install package -DskipTests && \
cd -- Compile the Sample App with the following command.
mvn compile-
You must set these variables in the environment before running the sample app.
export HTTPS_PROXY_HOST=<HTTPS_PROXY_HOST> export HTTPS_PROXY_PORT=<HTTPS_PROXY_PORT> export TRUSTAUTHORITY_BASE_URL=<TRUSTAUTHORITY_BASE_URL> export TRUSTAUTHORITY_API_URL=<TRUSTAUTHORITY_API_URL> export TRUSTAUTHORITY_API_KEY=<TRUSTAUTHORITY_API_KEY> export TRUSTAUTHORITY_REQUEST_ID=<TRUSTAUTHORITY_REQUEST_ID> export TRUSTAUTHORITY_POLICY_ID=<TRUSTAUTHORITY_POLICY_ID> export TOKEN_SIGNING_ALG=<TOKEN_SIGNING_ALG> export POLICY_MUST_MATCH=<true/false> export ADAPTER_TYPE=<azure/intel> export RETRY_MAX=<MAX_NUMBER_OF_RETRIES> export RETRY_WAIT_TIME=<MAX_RETRY_WAIT_TIME> export LOG_LEVEL=<LOG_LEVEL>
-
After setting the environment variables, run the sample app with the following command.
mvn exec:java -Dexec.mainClass="com.intel.trustauthority.tdxsampleapp.SampleApp"
Note
- The proxy setting values for
HTTPS_PROXY_HOSTandHTTPS_PROXY_PORThave to be set by the user based on the system proxy settings. - The example above uses one such proxy settings and this can vary from system to system.