# Glossary #### **Attestation Quote** A cryptographically signed data structure that serves as evidence during the attestation process. It contains measurements and metadata collected from the **Trusted Execution Environment (TEE)** that can be verified by external parties. * Generated by trusted hardware (e.g., Intel's Quoting Enclave in TDX). * Tamper-proof and verifiable using Intel’s public keys. * Includes the **Attestation Report**, as well as signing certificates. #### **Attestation Report** A structured document derived from the Attestation Quote. It contains key cryptographic measurements and signatures that prove the integrity of a system’s boot process. **Key fields include:** * `MRTD` (Measurement Register for Trust Domain) — Hash of the firmware measured by SEAM. * `RTMR0` — Measurements of configuration elements such as CFV, TDHOB, and ACPI tables. * `RTMR1` — Hash of the operating system kernel. * `RTMR2` — Measurement of the kernel command line and `initramfs`. * `RTMR3` — Hash of the root file system and `docker-compose.yaml`. #### **Measurement** A **cryptographic hash** of a specific component (e.g., firmware, kernel, configuration). These measurements are extended into secure registers (`MRTD`, `RTMR0–3`) and form the basis of attestation by proving no tampering has occurred. #### **Collateral** Supporting information required to verify the authenticity of an **Attestation Quote**. This includes: * Intel signing certificates and public keys * TCB (Trusted Computing Base) metadata * Quoting Enclave (QE) identity * Certificate Revocation Lists (CRLs) * Quote verification metadata Collateral is critical to validating that: * The quote was produced by **genuine Intel hardware** * Platform components are at appropriate **security patch levels** * None of the components have been **revoked** or compromised This forms the **external trust chain** that links attestation results to Intel as the root of trust. #### **Intel TDX (Trust Domain Extensions)** A hardware-based **Confidential Computing** technology by Intel that enables the creation of **confidential virtual machines**. TDX isolates guest VMs from the host and hypervisor, offering enhanced data privacy and integrity. #### **QEMU (Quick Emulator)** An open-source hardware **virtualization and emulation platform**. It can: * Emulate one architecture on another (e.g., ARM on x86). * Virtualize workloads at near-native speed using **KVM**. * Support **TDX** features to run confidential virtual machines with Intel's security guarantees. #### **SEAM (Secure Arbitration Mode)** A privileged, hardware-enforced environment in the Intel TDX architecture. The **SEAM module** runs in this mode and provides the core trust anchor for confidential VMs. **Key responsibilities:** * Manages the lifecycle of **Trust Domains (TDs)** * Enforces memory isolation between VMs and host * Performs cryptographic operations and quote generation * Mediates between the untrusted hypervisor and secure VMs * Applies security policies for TDX-protected environments The integrity of SEAM is **critical to the TDX security model**, and its measurement (MRSEAM) is included in the attestation report.