Context
PR #1 now parses TDX quote policy claims from the same raw quote bytes that Polaris attestor-verify verifies. The launch adapter no longer uses operator-pinned measurement, platform_id, or tcb metadata as claim sources.
Current Phase 1 behavior:
- Intel-chain and REPORTDATA binding still come from Polaris
attestor-verify.
- Cathedral parses REPORTDATA, canonical TD measurement, MRTD/RTMRs, TD attributes/XFAM,
tee_tcb_svn, attestation-key fingerprint, and a PCK leaf certificate fingerprint.
platform_id is tdx-pck-cert-sha256:*, a certificate-specific Phase 1 sybil-dedup key.
- Positive
min_tcb floors reject when only raw tcb_svn is available; launch should keep CATHEDRAL_TDX_MIN_TCB=0.
Remaining Work
- Derive or integrate a package-stable TDX platform identity instead of using the PCK leaf certificate fingerprint directly, accounting for valid PCK rotation/TCB-level changes.
- Plumb DCAP verification result details such as TCB status/advisory IDs and enforce a real TCB-status policy instead of scalar ordering over raw
tee_tcb_svn.
- Replace the Phase 1 PCK-cert dedup caveat in docs once the stronger identity/status semantics are implemented.
- Add live TDX regression evidence for identity stability across restart/requote and, if available, across PCK/collateral refresh.
Acceptance
cathedral.verify.verify() can enforce TDX platform identity and TCB status from verified quote/collateral semantics without relying on certificate-specific identity or raw tcb_svn scalar ordering.
- Existing live TDX and non-TDX negative controls still pass.
Context
PR #1 now parses TDX quote policy claims from the same raw quote bytes that Polaris
attestor-verifyverifies. The launch adapter no longer uses operator-pinnedmeasurement,platform_id, ortcbmetadata as claim sources.Current Phase 1 behavior:
attestor-verify.tee_tcb_svn, attestation-key fingerprint, and a PCK leaf certificate fingerprint.platform_idistdx-pck-cert-sha256:*, a certificate-specific Phase 1 sybil-dedup key.min_tcbfloors reject when only rawtcb_svnis available; launch should keepCATHEDRAL_TDX_MIN_TCB=0.Remaining Work
tee_tcb_svn.Acceptance
cathedral.verify.verify()can enforce TDX platform identity and TCB status from verified quote/collateral semantics without relying on certificate-specific identity or rawtcb_svnscalar ordering.