Page cover

Introduction

DCAP Dashboard is a single platform to automate onchain collateral upkeep for Intel SGX and TDX.

It serves as a unified system to manage and monitor Intel SGX and TDX quote verification using DCAP (Data Center Attestation Primitives), ensuring the trust chain between enclaves and the root of trust remains intact and valid.

By automating the lifecycle of collateral files with real-time visibility, the DCAP Dashboard helps reduce operational complexity and prevent silent failures that break attestation workflows.

What is a trust chain?

At its core, the trust chain is a hierarchical certificate path used to validate an SGX enclave’s or TDX Trust Domain’s quote. It connects the hardware-generated attestation (the quote) to Intel’s Root Certificate Authority, passing through several layers of signed collateral.

Collectively known as DCAP collaterals, these files are required to verify the authenticity and security posture of the SGX-enabled platforms or TDX-enabled virtual machines:

  • PCK Certificate: Binds a specific platform to Intel’s attestation infrastructure

  • Processor & Platform CA Certificates: Intermediate certs that validate the PCK

  • Root CA Certificate: Cryptographic anchor of the trust chain

  • TCB Info: Describes the platform’s security status (e.g., firmware, microcode, and patch levels) to match it against expected values

  • QE and related Identities: Confirm the integrity of quoting components.

  • CRLs: Indicate revoked certificates at all levels

Why does it matter?

If any part of this chain is missing, outdated, expired, or revoked:

  • The quote cannot be verified

  • The enclave's trustworthiness cannot be proven

  • Most verifiers will fail silently, without a detailed error

At the same time, these collaterals expire on different timelines:

  • Root and CA certificates are long-lived and expire after 7 to 30 years.

  • PCK certificates typically expire after 7 years.

  • TCB Info and CRLs are updated periodically to maintain validity:

    • Root CA CRL: Expires after 1 year

    • Platform CA CRL/ Processor CA CRL: Expire after 30 days

    • TCB Info: Expires after 30 days

    • QE/ TDQE/ QvE/ QAE Identities: Expires after 30 days

Intel SGX and TDX remote attestation depend on a complete and continuously updated chain of collaterals. Any missing or expired file silently invalidates the chain, making it difficult to detect until a downstream service breaks.

DCAP Dashboard eliminates this overhead by automatically fetching, validating, and keeping collateral up to date, so quotes remain verifiable even as underlying components change or expire.

Who is it for?

  • Developers building AI or agent-based applications that rely on trusted hardware to prove the integrity of inference, execution, or model access

  • Protocols that maintain SGX- or TDX-backed compute services and require uninterrupted quote verification across chains or environments

  • Infrastructure teams managing TEEs across validator networks, rollups, or modular app chains to ensure verifiable platform trust

  • Enterprises deploying SGX- or TDX-backed services with a need for auditability and operational resilience

TL;DR

DCAP Dashboard:

  • Automates Intel SGX and TDX collateral upkeep to ensure continuous validity

  • Offloads operational burden from engineering teams

  • Keep quote verification intact even as upstream certs rotate, expire or are revoked

  • Monitors verification status across chains, with support for EVM-based networks

  • Provides a single interface to map trust paths and make attestation failures easier to trace

PreviousKey termsNextChoosing a plan

Last updated

Was this helpful?