Add TDX CCEL support to token command and refactor flags#620
Open
yanchengchen7 wants to merge 1 commit intogoogle:mainfrom
Open
Add TDX CCEL support to token command and refactor flags#620yanchengchen7 wants to merge 1 commit intogoogle:mainfrom
yanchengchen7 wants to merge 1 commit intogoogle:mainfrom
Conversation
yanchengchen7
force-pushed
the
tdx-ccel
branch
from
bf37055 to
b84388f
Compare
yanchengchen7
force-pushed
the
tdx-ccel
branch
from
b84388f to
3fef05b
Compare
Collaborator
Author
|
/gcbrun |
1 similar comment
Contributor
|
/gcbrun |
alexmwu
approved these changes
Dec 30, 2025
Comment on lines
+141
to
+147
| // If teeTechnology is not set, try to detect it from the attestation. | ||
| if teeTechnology == "" { | ||
| if attestation.GetTdxAttestation() != nil { | ||
| teeTechnology = Tdx | ||
| } | ||
| } | ||
|
|
Contributor
There was a problem hiding this comment.
I think we should remove the detection. The caller should specify the TEE attestation to verify, just like with the gotpm attest command
yanchengchen7
force-pushed
the
tdx-ccel
branch
2 times, most recently
from
1d077ed to
cec9607
Compare
Collaborator
Author
|
/gcbrun |
alexmwu
reviewed
Jan 2, 2026
Comment on lines
+138
to
+161
| // Add logic to open other hardware devices when required. | ||
| switch teeTechnology { | ||
| case SevSnp: | ||
| attestOpts.TEEDevice, err = client.CreateSevSnpQuoteProvider() | ||
| if err != nil { | ||
| return fmt.Errorf("failed to open %s device: %v", SevSnp, err) | ||
| } | ||
| attestOpts.TEENonce = teeNonce | ||
| case Tdx: | ||
| attestOpts.TEEDevice, err = client.CreateTdxQuoteProvider() | ||
| if err != nil { | ||
| return fmt.Errorf("failed to create %s quote provider: %v", Tdx, err) | ||
| } | ||
| attestOpts.TEENonce = teeNonce | ||
| case "": | ||
| if len(teeNonce) != 0 { | ||
| return fmt.Errorf("use of --tee-nonce requires specifying TEE hardware type with --tee-technology") | ||
| } | ||
| default: | ||
| // Change the return statement when more devices are added | ||
| return fmt.Errorf("tee-technology should be either empty or should have values %s or %s", SevSnp, Tdx) | ||
| } | ||
|
|
||
| attestation, err := ak.Attest(attestOpts) |
Contributor
There was a problem hiding this comment.
This is duplicated with https://github.com/google/go-tpm-tools/blob/main/cmd/attest.go#L84-L105. Please refactor into a helper like func addTEEOpts(opts client.AttestOpts) error
yawangwang
reviewed
Jan 2, 2026
| return fmt.Errorf("tee-technology should be either empty or should have values %s or %s", SevSnp, Tdx) | ||
| } | ||
|
|
||
| attestation, err := ak.Attest(attestOpts) |
Collaborator
There was a problem hiding this comment.
Currently there's no binding b/w TPM and TDX attestation, so it's premature to enable tee-nonce and tee-technology flags for the token command.
Comment on lines
+188
to
+194
| req.TDCCELAttestation = &verifier.TDCCELAttestation{ | ||
| TdQuote: rawQuote, | ||
| CcelAcpiTable: ccelTable, | ||
| CcelData: ccelData, | ||
| AkCert: attestation.AkCert, | ||
| IntermediateCerts: attestation.IntermediateCerts, | ||
| } |
Collaborator
There was a problem hiding this comment.
This enables sending TDX CVM attestation to GCA for verification. However, since TDX CVM support is not yet GA, users will likely encounter errors when using the CLI.
This PR should be held until TDX CVM and hardware binding reach GA.
yanchengchen7
force-pushed
the
tdx-ccel
branch
3 times, most recently
from
b0ddfb2 to
5f710b7
Compare
* Move `teeTechnology` flag to flags.go to share it between `attest` and `token` commands. * Update `token` command to support TDX CCEL attestation by reading CCEL data and ACPI tables. * Enable `tee-technology` flag for the `token` command. * Populate the `GceInstance` field in `VerifyAttestationRequest` using MDS data (project number, zone, and instance ID) for the `token` command. * Ensure the `token` command uses the challenge nonce for TEE attestation, ignoring any user-provided `--tee-nonce`.
alexmwu
approved these changes
Apr 16, 2026
| ccelData = bytes.TrimRight(ccelData, "\xff") | ||
|
|
||
| ccelTable, err := os.ReadFile("/sys/firmware/acpi/tables/CCEL") | ||
| ccelTable, err := os.ReadFile(internal.AcpiTableFile) |
Contributor
There was a problem hiding this comment.
This is not useful. Can we disable the check on GCA? https://github.com/google/go-eventlog/blob/5cd85087f9f9ddf6e02330fb549879cf5ff54b06/extract/extract.go#L69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
teeTechnologyflag to flags.go to share it betweenattestandtokencommands.tokencommand to support TDX CCEL attestation by reading CCEL data and ACPI tables.GceInstancefield inVerifyAttestationRequestusing MDS data for thetokencommand.Example usage:
gotpm token --tee-technology tdx