EAT Attestation Result (EAR) profile for Intel® Trust Domain Extensions (TDX) + Confidential GPU (C-GPU) composite attestation

EAR claims for TDX + C-GPU composite attestation

JWT claims The following claims are reused from the IETF specification. The complete definitions of the claims are available in the JSON Web Token (JWT) specification.

iat: The "iat" (issued at) claim identifies the time at which the JWT was issued.
iss: The "iss" (issuer) claim identifies the principal that issued the JWT.
jti: The "jti" (JWT ID) claim provides a unique identifier for the JWT.
nbf: The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
exp: The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.

EAT claims The following claims are reused from the EAT specification. The complete definitions of the claims are available in the EAT specification.

eat_profile: The "eat_profile" claim identifies an Entity Attestation Token (EAT) profile by either a URL or an OID.
eat_nonce (optional): An EAT nonce is either a byte or text string or an array of byte or text strings representing verifier response freshness. The array option supports multistage EAT verification and consumption.

EAR claims The following claims are reused from the IETF draft EAT Attestation Results (EAR) message format. The complete definitions of the claims are available here)

ear_status: The string represents the aggregated appraisal status across all attesters, reflecting the composite attestation result. (check the latest defn in EAR profile V4. Current preference is to reflect the min baseline of all)

ear_verifier_id: The strings represents identifying information about the software and organizational unit that performed the attestation appraisal.
ear_raw_evidence (optional): The strings represents the unabridged evidence submitted for appraisal, including any signed container or envelope.
ear_all_submods_bound (optional): A string value indicating whether all submod components in the EAR token are provably bound to each other ("true", "false", "unknown").
ear_evidence_nonce (optional): if all submods share the same value for eat_nonce, the value may be replicated as a top level claim
submods: A submodule map holding one EAR-appraisal for each separately appraised attester.
ear_status: The strings represents the appraisal status for an attester as one of the defined trustworthiness tiers.
eat_profile (optional): The "eat_profile" claim identifies an Entity Attestation Token (EAT) profile by either a URL or an OID.
eat_nonce (optional): The claim represents evidence freshness
ear_trustworthiness_vector: The AR4SI trustworthiness vector giving a breakdown of appraisal values for an attester.
ear_appraisal_policy_ids** (optional): A list of one or more unique identifiers for appraisal policies used to evaluate the attestation results.
ear_evidence_claims: A JSON object containing the normalized, attester-reported evidence claims that the verifier accepted as input to its appraisal of this submod. The contents are organized as a flat or nested map of named claims defined by the submod's profile (for TDX, see section 3.4; for the CVM guest, see section 3.5; for C-GPU, see section 3.6). Values in this object originate from the attester (or are derived directly from attester-supplied evidence) and are reproduced here verbatim after parsing and schema validation; the verifier does not add appraisal verdicts, reference-value comparisons, or trust judgements to claims under this object.
ear_verifier_claims: A JSON object containing claims that are produced by the verifier itself as a result of appraising this submod. These claims are not present in the attester evidence and are added by the verifier to convey appraisal context, reference-data state, and verifier-derived dispositions.
ear_managed_keysets (optional): A JSON object that carries one or more named key sets extracted from the attestation evidence by the verifier on behalf of the attester, intended for use by the relying party (for example, to deliver secrets into the verified Trusted Compute Base). Each property of the object is a key-set name (e.g., ephemeral-transfer-keys) whose value is an array of JSON Web Keys (JWKs, per RFC 7517).

TDX claims

ear_evidence_claims The following attester-reported claims appear as named members of the tdx submod's ear_evidence_claims container:

tdx_mrconfigid: The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for non-owner-defined configuration of the TDX, e.g., runtime or OS configuration.
tdx_mrowner: The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for the TDX’s owner.
tdx_mrownerconfig: The hexadecimal string represents a byte array of length 48, which contains the software-defined ID for owner-defined configuration of the TDX, e.g., specific to the workload rather than the runtime or OS.
tdx_mrseam: The hexadecimal string represents a byte array of length 48, which contains the measurement of the Intel TDX module.
tdx_mrsignerseam: The hexadecimal string represents a byte array of length 48, which contains the measurement of the TDX module signer.
tdx_mrtd: The hexadecimal string represents a byte array of length 48, which contains the measurement of the initial contents of the TDX.
tdx_report_data: The hexadecimal string represents a byte array of length 64. In this context, the TDX has the flexibility to include 64 bytes of custom data in a TDX Report. For instance, this space can be used to hold a nonce, a public key, or a hash of a larger block of data.
tdx_rtmr0 – tdx_rtmr3: Each hexadecimal string represents a byte array of length 48, which contains the runtime extendable measurement register.
tdx_seam_attributes: The hexadecimal string represents a byte array of length 8, which contains additional configuration of the TDX module.
tdx_seamsvn: The number represents the Intel TDX module security version number (SVN).
tdx_td_attributes: The hexadecimal string represents a byte array of length 8. These are the attributes associated with the Trusted Domain (TD).
tdx_td_attributes_debug: The boolean value represents whether the TD runs in TD debug mode (set to 1) or not (set to 0). In TD debug mode, the CPU state and private memory are accessible by the host VMM.
tdx_td_attributes_key_locker: The boolean value represents whether the TD is allowed to use Key Locker.
tdx_td_attributes_perfmon: The boolean value represents whether the TD is allowed to use Perfmon and PERF_METRICS capabilities.
tdx_td_attributes_protection_keys: The boolean value represents whether the TD is allowed to use Supervisor Protection Keys.
tdx_td_attributes_septve_disable: The boolean value represents whether to disable EPT violation conversion to #VE on TD access of PENDING pages.
tdx_tee_tcb_svn: The hexadecimal string represents a byte array of length 16, which describes the TCB SVNs of TDX.
tdx_xfam: The hexadecimal string represents a byte array of length 8, which contains a mask of CPU extended features that the TDX is allowed to use.
sgx_tcb_comp_svn: The hexadecimal string represents the array of security version numbers (SVNs) for Intel SGX TCB components.
pce_svn: The integer value represents the security version number (SVN) of the Intel SGX Provisioning Certification Enclave (PCE), which is part of the TDX TCB.
platform_instance_id: The hexadecimal string represents a byte array of length 16, generated during Intel TDX Initial Platform Establishment (IPE), that uniquely identifies a specific physical platform instance.

ear_verifier_claims The following verifier-derived claims appear as named members of the tdx submod's ear_verifier_claims container:

attester_tcb_date: The date-time string is in UTC and encoded using ISO 8601, and it represents the date of the evaluated TCB level.
attester_tcb_status: The string describes the evaluated status of the attesting platform TCB level.
attester_advisory_ids: The array of advisory IDs refers to Intel security advisories that explain the reason(s) for the attester_tcb_status value of the evaluated platform TCB level.
tdx_collateral: The metadata of Intel Provisioning Certification Service (PCS) TDX collateral that the verifier used to appraise the attesting platform’s quote. Specifically: tcbevaluationdatanumber (TCB Evaluation Data Number) represents the version of the TDX verification collateral, and fmspc indicates the FMSPC associated with that collateral.

CVM claims The following claim appears as a peer of the other submod-level EAR claims (e.g., ear_appraisal_policy_id) within the cvm_guest submod:

ear_azurevm_policy_hash: The base64url-encoded string represents the hash (SHA-256) of the Azure VM guest attestation appraisal policy that the verifier evaluated to produce the cvm_guest submod result.

ear_evidence_claims The following attester-reported claims appear as named members of the cvm_guest submod's ear_evidence_claims container (see section 3.3):

secureboot: The boolean value represents whether secure boot is enabled.
azurevm_attestation_protocol_ver: The string value represents the version of the Azure VM attestation protocol used to generate the attestation token.
azurevm_attested_pcrs: The array represents PCR indices included in the TPM quote and successfully validated by the service.
azurevm_bootdebug_enabled: The boolean value represents whether boot debugging was enabled for the Azure VM at boot time.
azurevm_dbvalidated: The boolean value represents whether the UEFI Secure Boot signature database (DB) was successfully validated during boot.
azurevm_dbxvalidated: The boolean value represents whether the UEFI Secure Boot revocation database (DBX) was successfully validated.
azurevm_debuggersdisabled: The boolean value represents whether kernel and user‑mode debuggers were disabled in the guest operating system at boot.
azurevm_default_securebootkeysvalidated: The boolean value represents whether the default Microsoft Secure Boot keys were present and validated during Secure Boot initialization.
azurevm_elam_enabled: The boolean value represents whether Early Launch Anti‑Malware (ELAM) was enabled, ensuring that trusted anti‑malware drivers are loaded before other boot drivers.
azurevm_flightsigning_enabled: The boolean value represents whether flight signing was enabled, allowing test or preview‑signed binaries to load in the guest OS.
azurevm_hvci_policy: The integer value represents the Hypervisor‑Enforced Code Integrity (HVCI) policy configured and enforced by the guest operating system.
azurevm_hypervisordebug_enabled: The boolean value represents whether hypervisor debugging was enabled for the Azure VM.
azurevm_is_windows: The boolean value represents whether the guest operating system running inside the Azure VM is Microsoft Windows.
azurevm_kerneldebug_enabled: The boolean value represents whether kernel debugging was enabled in the guest operating system at boot time.
azurevm_osbuild: The string value represents the operating system build number of the guest OS running in the Azure VM.
azurevm_osdistro: The string value represents the guest operating system distribution name (for example: specific Linux distribution or Windows edition).
azurevm_ostype: The string value represents the guest operating system family or type (for example: Windows, Linux).
azurevm_osversion_major: The integer value represents the major version number of the guest operating system.
azurevm_osversion_minor: The integer value represents the minor version number of the guest operating system.
azurevm_signingdisabled: The boolean value represents whether code signing enforcement was disabled, allowing unsigned binaries to be loaded.
azurevm_testsigning_enabled: The boolean value represents whether test signing mode was enabled, allowing test‑signed binaries to execute in the guest OS.
azurevm_vmid: The string value represents the unique identifier (VM ID) assigned to the Azure Virtual Machine instance.
runtime: A JSON object containing claims that are defined and generated within the attested environment. This includes information such as keys and client payload, which are formatted as UTF-8–encoded, well-formed JSON.

ear_verifier_claims The following verifier-derived claims appear as named members of the cvm_guest submod's ear_verifier_claims container (see section 3.3):

x_ms_compliance_status: The string value summarizes the Microsoft-defined compliance disposition of the attested CVM guest (for example, azure-compliant-cvm-guestvm indicates the guest satisfies the Azure confidential VM guest compliance baseline).

C-GPU claims

eat_profile: The eat_profile from EAR token generated by NVIDIA verifier. This profile represents the EAR profile not evidence profile.
ear_status: The ear_status from EAR token generated by NVIDIA verifier.
ear_nvidia_purpose: The context associated with the appraisal. A GPU can respond out of band for infrastructure attestation and inband for various modes such as CC-TDISP. This claim allows a RP to ensure that an EAR meant for a different purpose does not get used by such RP.
ear_trustworthiness_vector (optional): The ear_trustworthiness_vector from EAR token generated by NVIDIA verifier.
eat_nonce (optional): The eat_nonce from EAR token generated by NVIDIA verifier. This nonce represents evidence freshness not freshness of response from NVIDIA verifier.
ear_verifier_claims: A collection of claims generated by the verifier during the process of evidence appraisal other than any claim from evidence that verifier copies into ear_evidence_claims (explained below). ear_verifier_claims includes claims that were not part of the evidence (e.g., certificate chain related claims).
ear_verifier_claims.ear_nvidia_evidence: A collection of claims generated by the verifier based on evidence validation step prior to comparison to reference values.
ear_verifier_claims.ear_nvidia_evidence.signature_verified: This boolean value indicates whether the signature on SPDM response has been verified successfully.
ear_verifier_claims.ear_nvidia_evidence.parsed (optional): This boolean value indicates whether the evidence has been successfully parsed. If signature verification of SPDM response fails, this claim will not be emitted.
ear_verifier_claims.ear_nvidia_evidence.cert_chain (optional): An array of claims related to each of the certificates in the device certificate chain. Every array entry corresponds to one certificate in the chain. The certs are listed in the order from the root to the end entity cert.
ear_verifier_claims.ear_nvidia_evidence.cert_chain[].status: The string value represents the validation result of the certificate.
ear_verifier_claims.ear_nvidia_evidence.cert_chain[].ocsp_crl_status (optional): The string value represents the certificate status from Online Certificate Status Protocol (OCSP) or CRL.
ear_verifier_claims.ear_nvidia_evidence.cert_chain[].ocsp_nonce_matches (optional): The boolean value represents whether the nonce in the OCSP response matches the nonce sent in the OCSP request.
ear_verifier_claims.ear_nvidia_evidence.cert_chain[].expiration_date: The string value represents the expiration timestamp of the certificate.
ear_verifier_claims.ear_nvidia_evidence.cert_chain[].revocation_reason (optional): The string value represents the revocation reason returned by certificate status validation if the certificate has been revoked.
ear_verifier_claims.ear_nvidia_evidence.akpub (optional): This claim represents the public key from the end entity certificate used by the verifier to verify the signature on the SPDM response from the attester.
ear_verifier_claims.ear_nvidia_evidence.nonce_match
ear_verifier_claims.ear_nvidia_rims (optional): A collection of claims generated by the verifier during its attempts to acquire and validate RIMs. This claim must be emitted if the verifier decides to attempt to acquire RIMs.
ear_verifier_claims.ear_nvidia_rims[].fetched: The boolean value indicates whether the verifier successfully retrieved the corresponding NVIDIA RIM required for evidence validation.
ear_verifier_claims.ear_nvidia_rims[].signature-verified (optional): The boolean value indicates that the digital signature of the RIM was successfully verified using NVIDIA’s signing certificates. This claim must be emitted if the fetched claim above is true.
ear_verifier_claims.ear_nvidia_rims[].id (optional): The string value represents the identifier of the NVIDIA Reference Integrity Manifest (RIM).
ear_verifier_claims.ear_nvidia_rims[].cert_chain (optional): An array of claims related to each of the certificates in the RIM certificate chain. Every array entry corresponds to one certificate in the chain. The certs are listed in the order from the root to the end entity cert.
ear_verifier_claims.ear_nvidia_rims[].cert_chain[].status: The string value represents the validation result of the certificate.
ear_verifier_claims.ear_nvidia_rims[].cert_chain[].ocsp_crl_status (optional): The string value represents the certificate status from Online Certificate Status Protocol (OCSP) or CRL.
ear_verifier_claims.ear_nvidia_rims[].cert_chain[].ocsp_nonce_matches (optional): The boolean value represents whether the nonce in the OCSP response matches the nonce sent in the OCSP request.
ear_verifier_claims.ear_nvidia_rims[].cert_chain[].expiration_date: The string value represents the expiration timestamp of the certificate.
ear_verifier_claims.ear_nvidia_rims[].cert_chain[].revocation_reason (optional): The string value represents the revocation reason returned by certificate status validation if the certificate has been revoked.
ear_verifier_claims.ear_nvidia_evidence_rim_cmp (optional): A collection of claims generated by the verifier during the process of reference value corroboration. This claim must be emitted if the verifier reaches the corroboration phase.
ear_verifier_claims.nvidia_evidence_rim_cmp.matched-env: The array of environment-maps from evidence that can be satisfied by CoRIM(s).
ear_verifier_claims.nvidia_evidence_rim_cmp.unmatched-env: The array of environment-maps from evidence that were not found in CoRIM(s).
ear_verifier_claims.nvidia_evidence_rim_cmp.mismatched-env: The array of environment-maps from evidence that were found in CoRIM(s) but can not be satisifed by the reference values in such CoRIM(s).
ear_verifier_claims.nvidia_evidence_rim_cmp.cert_chain_dti_match: The boolean value indicates status of comparison of all DiceTcbInfo structures found in the cert chain of the attester to suitable environment-maps from CoRIM(s).
ear_evidence_claims (optional): A collection of claims copied from evidence without any comparison to ref values.
ear_evidence_claims.oemid: This claim identifies the Original Equipment Manufacturer (OEM) of the hardware.
ear_evidence_claims.hwmodel: This claim identifies the model of the GPU.