# Glossary #### **Attestation Quote** A cryptographically signed data structure that serves as evidence during the attestation process. It contains measurements and metadata collected from the **Trusted Execution Environment (TEE)** that can be verified by external parties. * Generated by trusted hardware (e.g., Intel's Quoting Enclave in TDX). * Tamper-proof and verifiable using Intel’s public keys. * Includes the **Attestation Report**, as well as signing certificates. #### **Attestation Report** A structured document derived from the Attestation Quote. It contains key cryptographic measurements and signatures that prove the integrity of a system’s boot process. **Key fields include:** * `MRTD` (Measurement Register for Trust Domain) — Hash of the firmware measured by SEAM. * `RTMR0` — Measurements of configuration elements such as CFV, TDHOB, and ACPI tables. * `RTMR1` — Hash of the operating system kernel. * `RTMR2` — Measurement of the kernel command line and `initramfs`. * `RTMR3` — Hash of the root file system and `docker-compose.yaml`. #### **Measurement** A **cryptographic hash** of a specific component (e.g., firmware, kernel, configuration). These measurements are extended into secure registers (`MRTD`, `RTMR0–3`) and form the basis of attestation by proving no tampering has occurred. #### **Collateral** Supporting information required to verify the authenticity of an **Attestation Quote**. This includes: * Intel signing certificates and public keys * TCB (Trusted Computing Base) metadata * Quoting Enclave (QE) identity * Certificate Revocation Lists (CRLs) * Quote verification metadata Collateral is critical to validating that: * The quote was produced by **genuine Intel hardware** * Platform components are at appropriate **security patch levels** * None of the components have been **revoked** or compromised This forms the **external trust chain** that links attestation results to Intel as the root of trust. #### **Intel TDX (Trust Domain Extensions)** A hardware-based **Confidential Computing** technology by Intel that enables the creation of **confidential virtual machines**. TDX isolates guest VMs from the host and hypervisor, offering enhanced data privacy and integrity. #### **QEMU (Quick Emulator)** An open-source hardware **virtualization and emulation platform**. It can: * Emulate one architecture on another (e.g., ARM on x86). * Virtualize workloads at near-native speed using **KVM**. * Support **TDX** features to run confidential virtual machines with Intel's security guarantees. #### **SEAM (Secure Arbitration Mode)** A privileged, hardware-enforced environment in the Intel TDX architecture. The **SEAM module** runs in this mode and provides the core trust anchor for confidential VMs. **Key responsibilities:** * Manages the lifecycle of **Trust Domains (TDs)** * Enforces memory isolation between VMs and host * Performs cryptographic operations and quote generation * Mediates between the untrusted hypervisor and secure VMs * Applies security policies for TDX-protected environments The integrity of SEAM is **critical to the TDX security model**, and its measurement (MRSEAM) is included in the attestation report. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scrt.network/secret-network-documentation/secretvm-confidential-virtual-machines/glossary.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.