Quote Generation and Verification

In Intel TDX, a “quote” is a cryptographically signed data structure that serves as the primary evidence for remote attestation. For both technical implementers and security researchers, it’s important to understand that a TDX quote is generated by the TDX hardware itself, not by software running in the guest or host. This quote proves to a remote verifier that a specific virtual machine (Trusted Domain, or TD) is running on genuine TDX-capable silicon, and that its measured state—including firmware, kernel, and application—matches a set of expected, verifiable values. A TDX quote contains three main elements:
  • TD Report: A summary of the current state of the system’s measurement registers (RTMRs), which reflect the integrity of the firmware, kernel, and application stack.
  • Attestation Key Identifier: A unique identifier for the hardware-provisioned attestation key used to sign the quote.
  • Digital Signature: An ECDSA signature rooted in Intel’s hardware-backed key infrastructure, ensuring the authenticity and integrity of the quote.
This mechanism is foundational for confidential computing. It allows any external party—regardless of their privilege level or network position—to independently verify the integrity and authenticity of a workload, without having to trust the host OS, hypervisor, or cloud provider. In dstack, TDX quotes are the cornerstone of attestation and key management: every cryptographic operation and policy decision is anchored in hardware-verifiable state. Below, we detail how dstack generates, binds, and integrates TDX quotes into its security architecture:

Quote Structure and Content

Each TDX quote produced by dstack includes:
  • The raw TD report (capturing the current RTMR values and other state),
  • The attestation key ID,
  • An ECDSA signature.
The guest agent is responsible for generating these quotes securely. It ensures that any user-supplied data is padded to exactly 64 bytes (the required size for TDX report data) and then invokes the TDX hardware attestation APIs. For implementation details, see rpc_service.rs#L150.

Report Data Binding

The 64-byte report data field in the TDX quote allows applications to cryptographically bind arbitrary data to their attestation. This is a powerful feature for both security and flexibility: for example, you can bind a nonce, a public key, or an application identifier to the attestation, ensuring that the quote is unique to a specific context or session. dstack supports a wide range of cryptographic hash algorithms for this binding—including SHA-256, SHA-384, SHA-512, and Keccak—as described in attestation.rs#L32. The implementation strictly enforces both the length and content of the report data, ensuring compliance with TDX’s data-binding requirements and preventing misuse.

Certificate Integration

dstack’s RA-TLS (Remote Attestation TLS) system integrates TDX quotes directly into X.509 certificates as custom extensions. This means that remote attestation is performed as part of the standard TLS handshake, with no need for out-of-band verification steps. When a client or server presents its certificate, the verifier can extract and validate the embedded TDX quote using the from_cert method. This approach provides a seamless, cryptographically linked trust chain—from the hardware root of trust, through the attestation evidence, all the way to the TLS endpoint—enabling both strong security guarantees and operational simplicity for confidential workloads.
The process of quote generation and verification is the linchpin of dStack’s attestation model. The next section delves into the verification security model, where these quotes are rigorously validated and enforced.