Remote ATtestation ProcedureS G. Kostal Internet-Draft Microsoft Intended status: Informational R. Yeluri Expires: 22 November 2026 Intel D. Kumar Nvidia S. Dittakavi Microsoft H. Xia J. Yu Intel 21 May 2026 EAT Attestation Result (EAR) profile for Intel® Trust Domain Extensions (TDX) + Confidential GPU (C-GPU) composite attestation draft-kykdxy-rats-tdx-cgpu-ear-profile-01 Abstract This document defines an Entity Attestation Token (EAT) Attestation Result (EAR) profile for the composite attestation of Intel® Trust Domain Extensions (TDX)–based Confidential Virtual Machines (CVMs) together with confidential NVIDIA GPUs (C-GPUs) deployed in Microsoft Azure. The profile outlines claims that enable relying parties to establish trust in the integrity and confidentiality of the combined confidential computing environment. Developed collaboratively by Microsoft, Intel, and NVIDIA, this work is intended to foster interoperable composite attestation across heterogeneous Trusted Execution Environments (TEEs) and confidential accelerators, while encouraging adoption and extension by verifier providers across the confidential computing ecosystem. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Kostal, et al. Expires 22 November 2026 [Page 1] Internet-Draft TDX+C-GPU EAR profile May 2026 This Internet-Draft will expire on 22 November 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 3. Scenario overview . . . . . . . . . . . . . . . . . . . . . . 3 4. EAR claims for TDX + C-GPU composite attestation . . . . . . 4 4.1. JWT claims . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. EAT claims . . . . . . . . . . . . . . . . . . . . . . . 5 4.3. EAR claims . . . . . . . . . . . . . . . . . . . . . . . 5 4.4. TDX claims . . . . . . . . . . . . . . . . . . . . . . . 7 4.4.1. ear_evidence_claims . . . . . . . . . . . . . . . . . 7 4.4.2. ear_verifier_claims . . . . . . . . . . . . . . . . . 9 4.5. CVM claims . . . . . . . . . . . . . . . . . . . . . . . 10 4.5.1. ear_evidence_claims . . . . . . . . . . . . . . . . . 10 4.5.2. ear_verifier_claims . . . . . . . . . . . . . . . . . 12 4.6. C-GPU claims . . . . . . . . . . . . . . . . . . . . . . 12 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5.1. Sample TDX + C-GPU attestation token . . . . . . . . . . 16 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 6.1. Normative References . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 1. Introduction This document defines an Entity Attestation Token [EAT] Attestation Result (EAR) profile for composite attestation of an Intel® Trust Domain Extensions [TDX]–based Confidential Virtual Machine (CVM) together with one or more Nvidia confidential GPUs (C-GPUs) running in Azure. It addresses scenarios where a relying party must verify that all components of a confidential compute workload—CPU, guest VM, and accelerators—are cryptographically bound and jointly trusted before releasing sensitive information such as secrets or cryptographic keys. The profile assumes a composite attestation model, where multiple hardware-backed attesters contribute evidence that is verified and consolidated by a verifier. Successful Kostal, et al. Expires 22 November 2026 [Page 2] Internet-Draft TDX+C-GPU EAR profile May 2026 verification ensures that the components form a single, unified trust domain, preventing substitution or partial compromise. The base scenario deliberately adopts an “all-or-nothing” trust semantic: a relying party is expected to release secrets only when the verifier has established that all components included in the composite attestation are bound and trusted. The profile does not attempt to model partial trust graphs, or workload-specific data-flow constraints. The objective of this profile is to provide a stable attestation result format for confidential AI deployments by defining a consistent set of claims that relying parties can process uniformly. In these environments, multiple relying parties often operate under different business and regulatory requirements, which may require the use of multiple verifiers. Without a common structure, relying parties would need to interpret diverse attestation result formats and verifier-specific claims. The Composite EAR Profile removes this complexity by defining a unified attestation result structure, allowing relying parties to evaluate results against their policies without custom parsing or translation. The profile is designed to support consistent outputs across verifiers while remaining flexible enough to incorporate future confidential computing technologies and trust signals without disrupting existing deployments. 2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Scenario overview The canonical scenario allows a Relying Party to verify the integrity of a CVM and its associated hardware before releasing secrets. The CVM consists of confidential-computing–enabled CPUs and one or more confidential GPUs provisioned at deployment and assumed to remain static throughout its lifecycle. These components collectively form the CVM’s Trusted Compute Base (TCB), and any secrets released by the RP may be accessed only within this verified TCB. The RP must verify the trustworthiness of the CPU, the CVM boot flow, and the attached confidential GPUs. To support this, the Composite token provides: Kostal, et al. Expires 22 November 2026 [Page 3] Internet-Draft TDX+C-GPU EAR profile May 2026 1. an aggregate trust claim confirming that secrets remain confined to the verified TCB 2. an ephemeral provisioning key for secure secret delivery, and 3. detailed per-component appraisal data for inspection and troubleshooting. The composite attestation relies on foundational trust assumptions. The trust model assumes a static TCB after provisioning. Any out-of- band changes—such as hot-plugging a new GPU—violate the trust contract and must be blocked, as the composite attestation result reflects the security state only at the time of evidence collection and does not support asynchronous updates without full re- attestation. Additionally, it is assumed that to prevent lateral data leakage, each GPU within the TCB confines any secrets released by the relying party to its own isolated execution environment. Confidential data sharing with other GPUs over peer-to-peer interfaces (e.g., NVLink) is assumed to be disallowed as part of this trust model. 4. EAR claims for TDX + C-GPU composite attestation 4.1. JWT claims The following claims are reused from the IETF [JWT] specification. The complete definitions of the claims are available in the JSON Web Token (JWT) specification. iat The "iat" (issued at) claim identifies the time at which the JWT was issued. iss The "iss" (issuer) claim identifies the principal that issued the JWT. jti The "jti" (JWT ID) claim provides a unique identifier for the JWT. nbf The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. Kostal, et al. Expires 22 November 2026 [Page 4] Internet-Draft TDX+C-GPU EAR profile May 2026 exp The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. 4.2. EAT claims The following claims are reused from the EAT specification. The complete definitions of the claims are available in the EAT specification. eat_profile The "eat_profile" claim identifies an Entity Attestation Token (EAT) profile by either a URL or an OID. eat_nonce (optional) An EAT nonce is either a byte or text string or an array of byte or text strings representing verifier response freshness. The array option supports multistage EAT verification and consumption. 4.3. EAR claims The following claims are reused from the IETF draft EAT Attestation Results (EAR) message format. The complete definitions of the claims are available here) ear_status The string represents the aggregated appraisal status across all attesters, reflecting the composite attestation result. (check the latest defn in EAR profile V4. Current preference is to reflect the min baseline of all) ear_verifier_id The strings represents identifying information about the software and organizational unit that performed the attestation appraisal. ear_raw_evidence (optional) The strings represents the unabridged evidence submitted for appraisal, including any signed container or envelope. ear_all_submods_bound (optional) A string value indicating whether all submod components in the EAR token are provably bound to each other ("true", "false", "unknown"). Kostal, et al. Expires 22 November 2026 [Page 5] Internet-Draft TDX+C-GPU EAR profile May 2026 ear_evidence_nonce (optional) if all submods share the same value for eat_nonce, the value may be replicated as a top level claim submods A submodule map holding one EAR-appraisal for each separately appraised attester. ear_status The strings represents the appraisal status for an attester as one of the defined trustworthiness tiers. eat_profile (optional) The "eat_profile" claim identifies an Entity Attestation Token (EAT) profile by either a URL or an OID. eat_nonce (optional) The claim represents evidence freshness ear_trustworthiness_vector The AR4SI trustworthiness vector giving a breakdown of appraisal values for an attester. ear_appraisal_policy_ids** (optional) A list of one or more unique identifiers for appraisal policies used to evaluate the attestation results. ear_evidence_claims A JSON object containing the normalized, attester-reported evidence claims that the verifier accepted as input to its appraisal of this submod. The contents are organized as a flat or nested map of named claims defined by the submod's profile (for TDX, see section 3.4; for the CVM guest, see section 3.5; for C-GPU, see section 3.6). Values in this object originate from the attester (or are derived directly from attester-supplied evidence) and are reproduced here verbatim after parsing and schema validation; the verifier does not add appraisal verdicts, reference-value comparisons, or trust judgements to claims under this object. ear_verifier_claims A JSON object containing claims that are produced by the verifier itself as a result of appraising this submod. These claims are not present in the attester evidence and are added by the verifier to convey appraisal context, reference-data state, and verifier- derived dispositions. Kostal, et al. Expires 22 November 2026 [Page 6] Internet-Draft TDX+C-GPU EAR profile May 2026 ear_managed_keysets (optional) A JSON object that carries one or more named key sets extracted from the attestation evidence by the verifier on behalf of the attester, intended for use by the relying party (for example, to deliver secrets into the verified Trusted Compute Base). Each property of the object is a key-set name (e.g., ephemeral- transfer-keys) whose value is an array of JSON Web Keys (JWKs, per RFC 7517). 4.4. TDX claims 4.4.1. ear_evidence_claims The following attester-reported claims appear as named members of the tdx submod's ear_evidence_claims container: tdx_mrconfigid The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for non-owner-defined configuration of the TDX, e.g., runtime or OS configuration. tdx_mrowner The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for the TDX’s owner. tdx_mrownerconfig The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for owner-defined configuration of the TDX, e.g., specific to the workload rather than the runtime or OS. tdx_mrseam The hexadecimal string represents a byte array of length 48, which contains the measurement of the Intel TDX module. tdx_mrsignerseam The hexadecimal string represents a byte array of length 48, which contains the measurement of the TDX module signer. tdx_mrtd The hexadecimal string represents a byte array of length 48, which contains the measurement of the initial contents of the TDX. Kostal, et al. Expires 22 November 2026 [Page 7] Internet-Draft TDX+C-GPU EAR profile May 2026 tdx_report_data The hexadecimal string represents a byte array of length 64. In this context, the TDX has the flexibility to include 64 bytes of custom data in a TDX Report. For instance, this space can be used to hold a nonce, a public key, or a hash of a larger block of data. tdx_rtmr0 – tdx_rtmr3 Each hexadecimal string represents a byte array of length 48, which contains the runtime extendable measurement register. tdx_seam_attributes The hexadecimal string represents a byte array of length 8, which contains additional configuration of the TDX module. tdx_seamsvn The number represents the Intel TDX module security version number (SVN). tdx_td_attributes The hexadecimal string represents a byte array of length 8. These are the attributes associated with the Trusted Domain (TD). tdx_td_attributes_debug The boolean value represents whether the TD runs in TD debug mode (set to 1) or not (set to 0). In TD debug mode, the CPU state and private memory are accessible by the host VMM. tdx_td_attributes_key_locker The boolean value represents whether the TD is allowed to use Key Locker. tdx_td_attributes_perfmon The boolean value represents whether the TD is allowed to use Perfmon and PERF_METRICS capabilities. tdx_td_attributes_protection_keys The boolean value represents whether the TD is allowed to use Supervisor Protection Keys. tdx_td_attributes_septve_disable The boolean value represents whether to disable EPT violation conversion to #VE on TD access of PENDING pages. tdx_tee_tcb_svn The hexadecimal string represents a byte array of length 16, which describes the TCB SVNs of TDX. Kostal, et al. Expires 22 November 2026 [Page 8] Internet-Draft TDX+C-GPU EAR profile May 2026 tdx_xfam The hexadecimal string represents a byte array of length 8, which contains a mask of CPU extended features that the TDX is allowed to use. sgx_tcb_comp_svn The hexadecimal string represents the array of security version numbers (SVNs) for Intel SGX TCB components. pce_svn The integer value represents the security version number (SVN) of the Intel SGX Provisioning Certification Enclave (PCE), which is part of the TDX TCB. platform_instance_id The hexadecimal string represents a byte array of length 16, generated during Intel TDX Initial Platform Establishment (IPE), that uniquely identifies a specific physical platform instance. 4.4.2. ear_verifier_claims The following verifier-derived claims appear as named members of the tdx submod's ear_verifier_claims container: attester_tcb_date The date-time string is in UTC and encoded using ISO 8601, and it represents the date of the evaluated TCB level. attester_tcb_status The string describes the evaluated status of the attesting platform TCB level. attester_advisory_ids The array of advisory IDs refers to Intel security advisories that explain the reason(s) for the attester_tcb_status value of the evaluated platform TCB level. tdx_collateral The metadata of Intel Provisioning Certification Service (PCS) TDX collateral that the verifier used to appraise the attesting platform’s quote. Specifically: tcbevaluationdatanumber (TCB Evaluation Data Number) represents the version of the TDX verification collateral, and fmspc indicates the FMSPC associated with that collateral. Kostal, et al. Expires 22 November 2026 [Page 9] Internet-Draft TDX+C-GPU EAR profile May 2026 4.5. CVM claims The following claim appears as a peer of the other submod-level EAR claims (e.g., ear_appraisal_policy_id) within the cvm_guest submod: ear_azurevm_policy_hash The base64url-encoded string represents the hash (SHA-256) of the Azure VM guest attestation appraisal policy that the verifier evaluated to produce the cvm_guest submod result. 4.5.1. ear_evidence_claims The following attester-reported claims appear as named members of the cvm_guest submod's ear_evidence_claims container (see section 3.3): secureboot The boolean value represents whether secure boot is enabled. azurevm_attestation_protocol_ver The string value represents the version of the Azure VM attestation protocol used to generate the attestation token. azurevm_attested_pcrs The array represents PCR indices included in the TPM quote and successfully validated by the service. azurevm_bootdebug_enabled The boolean value represents whether boot debugging was enabled for the Azure VM at boot time. azurevm_dbvalidated The boolean value represents whether the UEFI Secure Boot signature database (DB) was successfully validated during boot. azurevm_dbxvalidated The boolean value represents whether the UEFI Secure Boot revocation database (DBX) was successfully validated. azurevm_debuggersdisabled The boolean value represents whether kernel and user-mode debuggers were disabled in the guest operating system at boot. azurevm_default_securebootkeysvalidated The boolean value represents whether the default Microsoft Secure Boot keys were present and validated during Secure Boot initialization. Kostal, et al. Expires 22 November 2026 [Page 10] Internet-Draft TDX+C-GPU EAR profile May 2026 azurevm_elam_enabled The boolean value represents whether Early Launch Anti-Malware (ELAM) was enabled, ensuring that trusted anti-malware drivers are loaded before other boot drivers. azurevm_flightsigning_enabled The boolean value represents whether flight signing was enabled, allowing test or preview-signed binaries to load in the guest OS. azurevm_hvci_policy The integer value represents the Hypervisor-Enforced Code Integrity (HVCI) policy configured and enforced by the guest operating system. azurevm_hypervisordebug_enabled The boolean value represents whether hypervisor debugging was enabled for the Azure VM. azurevm_is_windows The boolean value represents whether the guest operating system running inside the Azure VM is Microsoft Windows. azurevm_kerneldebug_enabled The boolean value represents whether kernel debugging was enabled in the guest operating system at boot time. azurevm_osbuild The string value represents the operating system build number of the guest OS running in the Azure VM. azurevm_osdistro The string value represents the guest operating system distribution name (for example: specific Linux distribution or Windows edition). azurevm_ostype The string value represents the guest operating system family or type (for example: Windows, Linux). azurevm_osversion_major The integer value represents the major version number of the guest operating system. azurevm_osversion_minor The integer value represents the minor version number of the guest operating system. Kostal, et al. Expires 22 November 2026 [Page 11] Internet-Draft TDX+C-GPU EAR profile May 2026 azurevm_signingdisabled The boolean value represents whether code signing enforcement was disabled, allowing unsigned binaries to be loaded. azurevm_testsigning_enabled The boolean value represents whether test signing mode was enabled, allowing test-signed binaries to execute in the guest OS. azurevm_vmid The string value represents the unique identifier (VM ID) assigned to the Azure Virtual Machine instance. runtime A JSON object containing claims that are defined and generated within the attested environment. This includes information such as keys and client payload, which are formatted as UTF-8–encoded, well-formed JSON. 4.5.2. ear_verifier_claims The following verifier-derived claims appear as named members of the cvm_guest submod's ear_verifier_claims container (see section 3.3): x_ms_compliance_status The string value summarizes the Microsoft-defined compliance disposition of the attested CVM guest (for example, azure- compliant-cvm-guestvm indicates the guest satisfies the Azure confidential VM guest compliance baseline). 4.6. C-GPU claims eat_profile The eat_profile from EAR token generated by NVIDIA verifier. This profile represents the EAR profile not evidence profile. ear_status The ear_status from EAR token generated by NVIDIA verifier. ear_nvidia_purpose The context associated with the appraisal. A GPU can respond out of band for infrastructure attestation and inband for various modes such as CC-TDISP. This claim allows a RP to ensure that an EAR meant for a different purpose does not get used by such RP. ear_trustworthiness_vector (optional) The ear_trustworthiness_vector from EAR token generated by NVIDIA verifier. Kostal, et al. Expires 22 November 2026 [Page 12] Internet-Draft TDX+C-GPU EAR profile May 2026 eat_nonce (optional) The eat_nonce from EAR token generated by NVIDIA verifier. This nonce represents evidence freshness not freshness of response from NVIDIA verifier. ear_verifier_claims A collection of claims generated by the verifier during the process of evidence appraisal other than any claim from evidence that verifier copies into ear_evidence_claims (explained below). ear_verifier_claims includes claims that were not part of the evidence (e.g., certificate chain related claims). ear_verifier_claims.ear_nvidia_evidence A collection of claims generated by the verifier based on evidence validation step prior to comparison to reference values. ear_verifier_claims.ear_nvidia_evidence.signature_verified This boolean value indicates whether the signature on SPDM response has been verified successfully. ear_verifier_claims.ear_nvidia_evidence.parsed (optional) This boolean value indicates whether the evidence has been successfully parsed. If signature verification of SPDM response fails, this claim will not be emitted. ear_verifier_claims.ear_nvidia_evidence.cert_chain (optional) An array of claims related to each of the certificates in the device certificate chain. Every array entry corresponds to one certificate in the chain. The certs are listed in the order from the root to the end entity cert. ear_verifier_claims.ear_nvidia_evidence.cert_chain[].status The string value represents the validation result of the certificate. ear_verifier_claims.ear_nvidia_evidence.cert_chain[].ocsp_crl_status (optional) The string value represents the certificate status from Online Certificate Status Protocol (OCSP) or CRL. ear_verifier_claims.ear_nvidia_evidence.cert_chain[].ocsp_nonce_matches (optional) The boolean value represents whether the nonce in the OCSP response matches the nonce sent in the OCSP request. ear_verifier_claims.ear_nvidia_evidence.cert_chain[].expiration_date The string value represents the expiration timestamp of the certificate. Kostal, et al. Expires 22 November 2026 [Page 13] Internet-Draft TDX+C-GPU EAR profile May 2026 ear_verifier_claims.ear_nvidia_evidence.cert_chain[].revocation_reason (optional) The string value represents the revocation reason returned by certificate status validation if the certificate has been revoked. ear_verifier_claims.ear_nvidia_evidence.akpub (optional) This claim represents the public key from the end entity certificate used by the verifier to verify the signature on the SPDM response from the attester. ear_verifier_claims.ear_nvidia_evidence.nonce_match ear_verifier_claims.ear_nvidia_rims (optional) A collection of claims generated by the verifier during its attempts to acquire and validate RIMs. This claim must be emitted if the verifier decides to attempt to acquire RIMs. ear_verifier_claims.ear_nvidia_rims[].fetched The boolean value indicates whether the verifier successfully retrieved the corresponding NVIDIA RIM required for evidence validation. ear_verifier_claims.ear_nvidia_rims[].signature-verified (optional) The boolean value indicates that the digital signature of the RIM was successfully verified using NVIDIA’s signing certificates. This claim must be emitted if the fetched claim above is true. ear_verifier_claims.ear_nvidia_rims[].id (optional) The string value represents the identifier of the NVIDIA Reference Integrity Manifest (RIM). ear_verifier_claims.ear_nvidia_rims[].cert_chain (optional) An array of claims related to each of the certificates in the RIM certificate chain. Every array entry corresponds to one certificate in the chain. The certs are listed in the order from the root to the end entity cert. ear_verifier_claims.ear_nvidia_rims[].cert_chain[].status The string value represents the validation result of the certificate. ear_verifier_claims.ear_nvidia_rims[].cert_chain[].ocsp_crl_status (optional) The string value represents the certificate status from Online Certificate Status Protocol (OCSP) or CRL. Kostal, et al. Expires 22 November 2026 [Page 14] Internet-Draft TDX+C-GPU EAR profile May 2026 ear_verifier_claims.ear_nvidia_rims[].cert_chain[].ocsp_nonce_matches (optional) The boolean value represents whether the nonce in the OCSP response matches the nonce sent in the OCSP request. ear_verifier_claims.ear_nvidia_rims[].cert_chain[].expiration_date The string value represents the expiration timestamp of the certificate. ear_verifier_claims.ear_nvidia_rims[].cert_chain[].revocation_reason (optional) The string value represents the revocation reason returned by certificate status validation if the certificate has been revoked. ear_verifier_claims.ear_nvidia_evidence_rim_cmp (optional) A collection of claims generated by the verifier during the process of reference value corroboration. This claim must be emitted if the verifier reaches the corroboration phase. ear_verifier_claims.nvidia_evidence_rim_cmp.matched-env The array of environment-maps from evidence that can be satisfied by CoRIM(s). ear_verifier_claims.nvidia_evidence_rim_cmp.unmatched-env The array of environment-maps from evidence that were not found in CoRIM(s). ear_verifier_claims.nvidia_evidence_rim_cmp.mismatched-env The array of environment-maps from evidence that were found in CoRIM(s) but can not be satisifed by the reference values in such CoRIM(s). ear_verifier_claims.nvidia_evidence_rim_cmp.cert_chain_dti_match The boolean value indicates status of comparison of all DiceTcbInfo structures found in the cert chain of the attester to suitable environment-maps from CoRIM(s). ear_evidence_claims (optional) A collection of claims copied from evidence without any comparison to ref values. ear_evidence_claims.oemid This claim identifies the Original Equipment Manufacturer (OEM) of the hardware. ear_evidence_claims.hwmodel This claim identifies the model of the GPU. Kostal, et al. Expires 22 November 2026 [Page 15] Internet-Draft TDX+C-GPU EAR profile May 2026 5. Examples 5.1. Sample TDX + C-GPU attestation token Below is a sample TDX + C-GPU attestation token which includes claims from this EAR profile. { "eat_profile": "points to TDX+GPU composite EAR profile in IETF website", "eat_nonce": "a1b2c3d4e5f67890123456789abcdef0", "iat": 1666529300, "iss": "https://mytenant.rats.verifier.com", "jti": "950a20caadb27206dda48f8d9f15d550d935ba5d6d074321ea34398ca5bc5975", "nbf": 1764709981, "exp": 1764738781, "ear_verifier_id": { "developer": "https://rats.verifier.com", "build": "v1.23.0" }, "ear_raw_evidence": "NzQ3MjY5NzM2NTYzNzQKNzQ3MjY5NzM2NTYzNzQK...", "ear_status": "affirming", "ear_all_submods_bound": "true", "submods": { "tdx": { "ear_status": "affirming", "ear_profile": "https://portal.trustauthority.intel.com/ear_profile.html", "ear_trustworthiness_vector": { "instance-identity": 2, "executables": 2, "hardware": 2 }, "ear_appraisal_policy_ids": [ "tdx-default-v1" ], "ear_evidence_claims": { "tdx_mrconfigid": "018779f38c1cc5d1e643fbfc7238bae2c227f7ffa4c72c049802942658acfc5bee000000000000000000000000000000", "tdx_mrowner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "tdx_mrownerconfig": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "tdx_mrseam": "7bf063280e94fb051f5dd7b1fc59ce9aac42bb961df8d44b709c9b0ff87a7b4df648657ba6d1189589feab1d5a3c9a9d", "tdx_mrsignerseam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "tdx_mrtd": "75f3acc2e1dfc3acf404d7eaa69a2eefcd0475a0dd6516ef5ba3cb83399c61b4aa1c638e3622bb650a514bfc6e858886", "tdx_report_data": "b4ee5ceb6bee96cac5605b2af1d2a483f0a6f790c6de738e7d2430ba33a350a86d1ace43b90ea9421624738151b677a23a577e2fc0c6180ae786ca1cf91e0eac", "tdx_rtmr0": "59dc57e1e3029f15034b127f0264a8e6f00db6c178bb087bc03205243d5d9daeff8bbeccced48d881c2a63d8974dbe26", "tdx_rtmr1": "70c3be9ff6c2fab010196a5fa1dd04c1bad37a4a1d2531cb56a9762d9f3b59c4f20b630a572396da77f8238d8e056bc2", "tdx_rtmr2": "3142d2479ce77c402ce8d67a04a67d57de798fa98748ca5f0486d4985919cad7de9a31adaa51d1073c62eafd0dfc8891", "tdx_rtmr3": "b56c050e7ae3846678603ab7ef552bf6452710f5601337b69b00f6e8894f5b0a0f87b9ed39faebba3e2d740dba701d5b", "tdx_seam_attributes": "0000000000000000", "tdx_seamsvn": 258, Kostal, et al. Expires 22 November 2026 [Page 16] Internet-Draft TDX+C-GPU EAR profile May 2026 "tdx_td_attributes": "0000000000000000", "tdx_td_attributes_debug": false, "tdx_td_attributes_key_locker": false, "tdx_td_attributes_perfmon": false, "tdx_td_attributes_protection_keys": false, "tdx_td_attributes_septve_disable": false, "tdx_tee_tcb_svn": "02010600000000000000000000000000", "tdx_xfam": "e718060000000000", "sgx_tcb_comp_svn": "06060202030100030000000000000000", "pce_svn": 11, "platform_instance_id": "2ba7336ce9acf49fe7d3e3625337e510" }, "ear_verifier_claims": { "attester_tcb_date": "2025-05-14T00:00:00Z", "attester_advisory_ids": [ "INTEL-SA-01192","INTEL-SA-01245"], "attester_tcb_status": "OutOfDate", "tdx_collateral": { "fmspc": "B0C06F000000", "tcbevaluationdatanumber": 20 } } }, "cvm_guest": { "eat_profile": "https://aka.ms/eat-profile-cvm-guest/1.0.0", "ear_status": "affirming", "ear_trustworthiness_vector": { "instance-identity": 2, "executables": 2 }, "ear_appraisal_policy_ids": [ "policy:cvm-guest/7e8f1b2a-9c4d-4327-b59a-8d6e1a3f0c2b" ], "ear_azurevm_policy_hash": "ndXtG3MNtueeIPCj2Y-3fDFl16CREC5FF_sUyU4fLQ8", "ear_managed_keysets": { "ephemeral-transfer-keys": [ { "e": "AQAB", "key_ops": [ "encrypt" ], "kid": "TpmEphemeralEncryptionKey", "kty": "RSA", "n": "zcjFQAABYsqZUkS4w" } ] }, "ear_evidence_claims": { "secureboot": true, Kostal, et al. Expires 22 November 2026 [Page 17] Internet-Draft TDX+C-GPU EAR profile May 2026 "azurevm_attestation_protocol_ver": "2.0", "azurevm_attested_pcrs": [ 0, 1, 2, 3, 4, 5, 6, 7 ], "azurevm_bootdebug_enabled": false, "azurevm_dbvalidated": true, "azurevm_dbxvalidated": true, "azurevm_debuggersdisabled": true, "azurevm_default_securebootkeysvalidated": true, "azurevm_elam_enabled": false, "azurevm_flightsigning_enabled": false, "azurevm_hvci_policy": 0, "azurevm_hypervisordebug_enabled": false, "azurevm_is_windows": false, "azurevm_kerneldebug_enabled": false, "azurevm_osbuild": "NotApplication", "azurevm_osdistro": "Debian GNU/Linux", "azurevm_ostype": "Linux", "azurevm_osversion_major": 13, "azurevm_osversion_minor": 0, "azurevm_signingdisabled": true, "azurevm_testsigning_enabled": false, "azurevm_vmid": "59ECD20B-CD92-4A84-82CB-9F3F06E9CDEC", "runtime": { "client_payload": { "Nonce": "MaaSandbox Nonce : 12/2/2025 9:13:01 PM", "RelyingPartyId": "bcd368ce93bdad7c2f67bfd7af0d6b052c127aec28802c376f54a6ca8712ae32" }, "keys": [ { "e": "AQAB", "key_ops": [ "encrypt" ], "kid": "TpmEphemeralEncryptionKey", "kty": "RSA", "n": "zcjFQAABYsqZUke3aw" } ] } }, Kostal, et al. Expires 22 November 2026 [Page 18] Internet-Draft TDX+C-GPU EAR profile May 2026 "ear_verifier_claims": { "x_ms_compliance_status": "azure-compliant-cvm-guestvm" } }, "gpu_0": { "eat_profile": "tag:nvidia.com,2026-05:ear/profiles/gpu/1.0", "ear_status": "affirming", "ear_nvidia_purpose": "CC-Bounce-Buffer", "ear_trustworthiness_vector": { "configuration": 2, "executables": 2, "hardware": 2 }, "ear_appraisal_policy_ids": [ "tag:nvidia.com,2026-05:ear/profiles/composite/generic/1.0.0", "https://nras.attestation.nvidia.com/ear/policies/gpu/1.1" ], "eat_nonce": "80FH7byULVei4u1YP4EirV8B7oHxIq0/1C3wE6vJ8ouq9j+F6m1X/dWO6B2qoovv", "ear_verifier_claims": { "ear_nvidia_evidence": { "signature_verified": true, "parsed": true, "cert_chain": [ { "status": "valid", "ocsp_status": "good", "expiration_date": "2036-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2032-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2028-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2026-07-15T23:02:10Z", "revocation_reason": null } ], Kostal, et al. Expires 22 November 2026 [Page 19] Internet-Draft TDX+C-GPU EAR profile May 2026 "akpub": "-----BEGIN PUBLIC KEY----- \nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEX0dHnbKG8XlTZk1LrNBFYxca/xomeYVQ\nHHnCksh1BXEBsJt4wIUjkPuTXqy1NLThQXL6m3zgP7unKAeThOKSiGr4/D9n6XMg\noFJGZMFgQYQsc3ZY+SogfgDTf5cEGaeQ\n-----END PUBLIC KEY-----\n", "nonce_match": true }, "ear_nvidia_rims": [ { "fetched": true, "signature_verified": true, "id": "ID-Driver", "cert_chain": [ { "status": "valid", "ocsp_status": "good", "expiration_date": "2036-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2032-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2028-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2026-07-15T23:02:10Z", "revocation_reason": null } ] }, { "fetched": true, "signature_verified": true, "id": "ID-Vbios", "schema_validated": true, "measurements_available": true, "cert_chain": [ { "status": "valid", "ocsp_status": "good", "expiration_date": "2036-07-15T23:02:10Z", "revocation_reason": null Kostal, et al. Expires 22 November 2026 [Page 20] Internet-Draft TDX+C-GPU EAR profile May 2026 }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2032-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2028-07-15T23:02:10Z", "revocation_reason": null }, { "status": "valid", "ocsp_status": "good", "expiration_date": "2026-07-15T23:02:10Z", "revocation_reason": null } ] } ], "ear_nvidia_evidence_rim_cmp": { "matched_env": [ { "class": { "vendor": "NVIDIA", "model": "GB100 A01 FSP", "layer": 0 }, "instance": { "type": "ueid", "value": "AQIDBAUGBwgJCgsMDQ4P" } }, { "class": { "class_id": { "type": "oid", "value": "2.23.133.5.4.1" }, "vendor": "NVIDIA", "model": "GB100 HW config" } } ], "unmatched_env": [ { "class": { "vendor": "NVIDIA", "model": "GB100 Fuses" } }, Kostal, et al. Expires 22 November 2026 [Page 21] Internet-Draft TDX+C-GPU EAR profile May 2026 { "class": { "vendor": "NVIDIA", "model": "GB100 Firmware microcodes (BootComplex reset domain)" } } ], "mismatched_env": [], "cert_chain_dti_match": true } }, "ear_evidence_claims": { "oemid": "5703", "hwmodel": "R0gxMDA=" } } } } 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [EAT] Lundblade, L., Mandyam, G., O'Donoghue, J., and C. Wallace, "The Entity Attestation Token (EAT)", 30 June 2023, . [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", May 2015, . [TDX] Intel, "Intel® Trust Domain Extensions", February 2023, . Authors' Addresses Kostal, et al. Expires 22 November 2026 [Page 22] Internet-Draft TDX+C-GPU EAR profile May 2026 Greg Kostal Microsoft Email: gkostal@microsoft.com Raghuram Yeluri Intel Email: raghuram.yeluri@intel.com Dhawal Kumar Nvidia Email: dkumar@nvidia.com Sindhuri Dittakavi Microsoft Email: sindhuri.dittakavi@microsoft.com Haidong Xia Intel Email: haidong.xia@intel.com Jerry Yu Intel Email: jerry.yu@intel.com Kostal, et al. Expires 22 November 2026 [Page 23]