Intel® Trust Authority Client for Python

· 09/13/2024 ·

The Intel® Trust Authority Client for Python is a library of Python modules used to perform remote attestation of a Trusted Execution Environment (TEE) using Intel Trust Authority as the verifier. The client packages enable you to collect evidence from the TEE, request an attestation token (JWT), and verify the cryptographic signature of the token.

The Intel Trust Authority client is designed for use by both attesting applications and relying parties. It can be used in either Passport or Background-check attestation patterns. The client is available in several languages, including Go, C, and Java. All the clients share a common API.

Both the connector and a TEE adapter (the platform-specific software that collects evidence from a TEE) must be installed on the attesting TEE to collect evidence for attestation. However, a TEE adapter is not required to use the client to verify a token, or to request attestation in background-check mode using a quote provided by the attester.

The Python client currently supports the following TEEs:

• Intel® Software Guard Extensions (Intel® SGX).
• Intel® Trust Domain Extensions (Intel® TDX) for on-premises Intel TDX platforms.
• Google Cloud Platform* (GCP) confidential VMs with Intel TDX.
• Azure* confidential VMs with Intel TDX.
• NVIDIA* H100 GPUs with Intel TDX

Library structure

• /inteltrustauthorityclient/connector: Contains the main ITAConnector class to connect to Intel Trust Authority.
• /inteltrustauthorityclient/nvgpu: Contains the NVIDIA H100 GPU adapter.
• /inteltrustauthorityclient/cli: Contains the Intel Trust Authority Python CLI. This version of the CLI includes support for NVIDIA H100 GPU attestation. This feature is in limited preview status.
• /inteltrustauthorityclient/examples: Contains sample applications to demonstrate the usage of the client. See Sample applications for more information.
• inteltrustauthorityclient/sgx/intel: Contains the Intel SGX adapter.
• inteltrustauthorityclient/tdx: Contains the Intel TDX bare metal and Google Cloud Platform (GCP) adapter, and Azure TDX adapters. See the READMEs in the subfolders for more information.
• test: Contains unit tests for the client.

System requirement

• Ubuntu 24.04 LTS with kernel 6.8 or later
• Python 3.8 or later

Installation

To install the latest version of the Intel TDX + NVIDIA H100 client, follow these steps:

1. The following commands clone the repository and check out the main branch and set up to build the wheel and run the CLI. You must replace <path_to_pythonclient> with the path to the directory where you'll install the client (e.g., pythonclient). You can customize the epic names in the sample below, or copy it as-is and run it. Don't change $CLIPATH or the git clone <repo> and <branch>.

git clone https://github.com/intel/trustauthority-client-for-python.git;

# To use the Trust Authority CLI (inteltrustauthorityclient/cli)
export CLIPATH=<path_to_pythonclient>/inteltrustauthorityclient/cli/trustauthority-pycli;
alias trustauthority-pycli="sudo python3 $CLIPATH/trustauthority-cli.py" 

Sudo is optional in the alias defined above, but it's required to run the CLI commands that collect evidence from the TEE and it's convenient to have it in the alias.

Run the following commands from the inteltrustauthorityclient directory.

2. Install poetry by running the following command:

   pip3 install --no-cache-dir poetry

3. Create a wheel package using poetry:

   Spawn a poetry shell:

   poetry shell

   Build wheel package:

   poetry build

4. Run pip install to install the inteltrustauthorityclient package in site-packages:

   cd dist
   pip install applications_security_amber_trustauthority_client_for_python-1.1.0-py3-none-any.whl

Usage

More information about how to use this library is available in the READMEs for each package. Library structure, above, has links to the READMEs for each package.

The primary documentation is the Python Connector Reference in the Intel Trust Authority documentation.

Sample applications

For more information on how to use the client, see the sample applications in the examples folder.

• Intel SGX sample app

• Intel TDX sample app — Works on Intel TDX hosts/VMs and Azure TDX VMs.

• Create Adapter using:

  • TDX
    • TDX
    • Azure TDX
  • SGX
    • Intel SGX
  • NVIDIA
    • NVGPU

Unit Tests

For more information on how to run the unit tests, see the Unit Tests README.

Code of Conduct and Contributing

See the Contributing file for more information on how to contribute to this project. This project follows the Code of Conduct.

License

This library is distributed under the BSD-style license found in the LICENSE file.

* Other names and brands may be claimed as the property of others.