Add TDX CCEL support to token command and refactor flags

* Move `teeTechnology` flag to flags.go to share it between `attest` and `token` commands.
* Update `token` command to support TDX CCEL attestation.
* Enable `tee-nonce` and `tee-technology` flags for the `token` command.

Author: yanchengchen7

cmd/attest.go

@@ -16,16 +16,7 @@ import (
 )
 
 var (
-	key           string
-	teeTechnology string
-)
-
-// Add constants for other devices when required
-const (
-	// SevSnp is a constant denotes device name for teeTechnology
-	SevSnp = "sev-snp"
-	// Tdx is a constant denotes device name for teeTechnology
-	Tdx = "tdx"
+	key string
 )
 
 var attestationKeys = map[string]map[tpm2.Algorithm]func(rw io.ReadWriter) (*client.Key, error){
@@ -183,10 +174,6 @@ func addKeyFlag(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&key, "key", "AK", "indicates type of attestation key to use <gceAK|AK>")
 }
 
-func addTeeTechnology(cmd *cobra.Command) {
-	cmd.PersistentFlags().StringVar(&teeTechnology, "tee-technology", "", "indicates the type of TEE hardware. Should be either empty or one of sev-snp or tdx")
-}
-
 func init() {
 	RootCmd.AddCommand(attestCmd)
 	addKeyFlag(attestCmd)

cmd/flags.go

@@ -15,19 +15,28 @@ import (
 )
 
 var (
-	output      string
-	input       string
-	nvIndex     uint32
-	nonce       []byte
-	teeNonce    []byte
-	keyAlgo     = tpm2.AlgRSA
-	pcrs        []int
-	format      string
-	asAddress   string
-	audience    string
-	eventLog    string
-	cloudLog    bool
-	customNonce []string
+	output        string
+	input         string
+	nvIndex       uint32
+	nonce         []byte
+	teeNonce      []byte
+	teeTechnology string
+	keyAlgo       = tpm2.AlgRSA
+	pcrs          []int
+	format        string
+	asAddress     string
+	audience      string
+	eventLog      string
+	cloudLog      bool
+	customNonce   []string
+)
+
+// Add constants for other devices when required
+const (
+	// SevSnp is a constant denotes device name for teeTechnology
+	SevSnp = "sev-snp"
+	// Tdx is a constant denotes device name for teeTechnology
+	Tdx = "tdx"
 )
 
 type pcrsFlag struct {
@@ -192,6 +201,10 @@ func addTeeNonceflag(cmd *cobra.Command) {
 	cmd.PersistentFlags().BytesHexVar(&teeNonce, "tee-nonce", []byte{}, "hex encoded teenonce for hardware attestation, can be empty")
 }
 
+func addTeeTechnology(cmd *cobra.Command) {
+	cmd.PersistentFlags().StringVar(&teeTechnology, "tee-technology", "", "indicates the type of TEE hardware. Should be either empty or one of sev-snp or tdx")
+}
+
 // alwaysError implements io.ReadWriter by always returning an error
 type alwaysError struct {
 	error

cmd/token.go

@@ -2,17 +2,21 @@ package cmd
 
 import (
 	"context"
+	_ "crypto/sha512" // Ensure SHA384 is available
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
 	"net/http"
+	"os"
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
 	"cloud.google.com/go/logging"
 	"github.com/golang-jwt/jwt/v4"
+	tabi "github.com/google/go-tdx-guest/abi"
 	"github.com/google/go-tpm-tools/client"
+	"github.com/google/go-tpm-tools/internal"
 	"github.com/google/go-tpm-tools/verifier"
 	"github.com/google/go-tpm-tools/verifier/models"
 	"github.com/google/go-tpm-tools/verifier/util"
@@ -134,13 +138,46 @@ The OIDC token includes claims regarding the GCE VM, which is verified by Attest
 		}
 		ak.Close()
 
+		// If teeTechnology is not set, try to detect it from the attestation.
+		if teeTechnology == "" {
+			if attestation.GetTdxAttestation() != nil {
+				teeTechnology = Tdx
+			}
+		}
+
 		req := verifier.VerifyAttestationRequest{
 			Challenge:      challenge,
 			GcpCredentials: principalTokens,
 			Attestation:    attestation,
 			TokenOptions:   &models.TokenOptions{Audience: audience, Nonces: customNonce, TokenType: "OIDC"},
 		}
 
+		if teeTechnology == Tdx {
+			// If TDX, check if we should populate TDCCELAttestation
+			if attestation.GetTdxAttestation() != nil {
+				fmt.Fprintln(debugOutput(), "Using Explicit TDCCELAttestation Path (ACPI tables)")
+
+				rawQuote, err := tabi.QuoteToAbiBytes(attestation.GetTdxAttestation())
+				if err != nil {
+					return fmt.Errorf("failed to convert TDX quote to bytes: %v", err)
+				}
+
+				// Try to read CCEL Table and Data
+				ccelTable, _ := os.ReadFile(internal.AcpiTableFile)
+				ccelData, _ := os.ReadFile(internal.CcelEventLogFile)
+
+				req.TDCCELAttestation = &verifier.TDCCELAttestation{
+					TdQuote:           rawQuote,
+					CcelAcpiTable:     ccelTable,
+					CcelData:          ccelData,
+					AkCert:            attestation.AkCert,
+					IntermediateCerts: attestation.IntermediateCerts,
+				}
+				// Force using TDCCELAttestation path in verifier client
+				req.Attestation = nil
+			}
+		}
+
 		resp, err := verifierClient.VerifyAttestation(ctx, req)
 		if err != nil {
 			return err
@@ -210,6 +247,6 @@ func init() {
 	addEventLogFlag(tokenCmd)
 	addCustomNonceFlag(tokenCmd)
 	// TODO: Add TEE hardware OIDC token generation
-	// addTeeNonceflag(tokenCmd)
-	// addTeeTechnology(tokenCmd)
+	addTeeNonceflag(tokenCmd)
+	addTeeTechnology(tokenCmd)
 }

internal/ccel.go

@@ -0,0 +1,8 @@
+package internal
+
+const (
+	// AcpiTableFile is the path to the CCEL ACPI table.
+	AcpiTableFile = "/sys/firmware/acpi/tables/CCEL"
+	// CcelEventLogFile is the path to the CCEL event log data.
+	CcelEventLogFile = "/sys/firmware/acpi/tables/data/CCEL"
+)

launcher/agent/agent.go

@@ -332,11 +332,11 @@ func (t *tdxAttestRoot) Attest(nonce []byte) (any, error) {
 		return nil, err
 	}
 
-	ccelData, err := os.ReadFile("/sys/firmware/acpi/tables/data/CCEL")
+	ccelData, err := os.ReadFile(internal.CcelEventLogFile)
 	if err != nil {
 		return nil, err
 	}
-	ccelTable, err := os.ReadFile("/sys/firmware/acpi/tables/CCEL")
+	ccelTable, err := os.ReadFile(internal.AcpiTableFile)
 	if err != nil {
 		return nil, err
 	}