PCCS Router

Important Note for Smart Contract Developers

Solidity smart contracts are strongly encouraged to fetch collaterals from the PCCS Router rather than directly from individual DAOs. The PCCS Router provides several key advantages:

• Solidity-friendly types: Returns data in native Solidity types instead of raw JSON types, making integration simpler and more efficient

• Single address management: Only need to track one router address instead of managing multiple DAO addresses

• Version management: Automatically routes to the correct versioned DAOs based on TCB evaluation data numbers

• Consistent interface: Provides a unified API for accessing all PCCS collaterals

Summary

The PCCS Router contract is the recommended interface for contracts wanting to read collaterals from Onchain PCCS. It ensures that callers are always pointing to the most up-to-date PCCS DAOs and returns all collateral data in Solidity-friendly types. The router manages access to multiple versioned DAOs including TcbEvalDao, PcsDao, PckDao, EnclaveIdentityDao (versioned by TCB evaluation data number), and FmspcTcbDao (versioned by TCB evaluation data number).

Methods

Admin Configurable Methods

setConfig

function setConfig(
    address _tcbEval,
    address _pcs,
    address _pck,
    address _x509,
    address _x509Crl,
    address _tcbHelper
) external onlyOwner

Updates the addresses of the core DAO and helper contracts.

Parameters:

• _tcbEval (address): Address of the TcbEvalDao contract

• _pcs (address): Address of the PcsDao contract

• _pck (address): Address of the PckDao contract

• _x509 (address): Address of the PCK helper contract for X.509 certificate parsing

• _x509Crl (address): Address of the CRL helper contract

• _tcbHelper (address): Address of the FmspcTcbHelper contract (for TCBInfo parsing)

setQeIdDaoVersionedAddr

Sets the address for a specific TCB evaluation number version of the QE Identity DAO.

Parameters:

• tcbEval (uint32): TCB evaluation data number

• addr (address): Address of the versioned EnclaveIdentityDao contract

Validation:

• Verifies that the DAO's TCB_EVALUATION_NUMBER() matches the provided tcbEval parameter

setFmspcTcbDaoVersionedAddr

Sets the address for a specific TCB evaluation number version of the FMSPC TCB DAO.

Parameters:

• tcbEval (uint32): TCB evaluation data number

• addr (address): Address of the versioned FmspcTcbDao contract

Validation:

• Verifies that the DAO's TCB_EVALUATION_NUMBER() matches the provided tcbEval parameter

setAuthorized

Authorizes or revokes authorization for a specific caller address.

Parameters:

• caller (address): Address to authorize or revoke

• authorized (bool): True to authorize, false to revoke

enableCallerRestriction

Enables caller restriction mode, where only authorized addresses can call getter methods.

disableCallerRestriction

Disables caller restriction mode, allowing any address to call getter methods.

Getter Methods for Fetching Collaterals

TCB Evaluation Data Number

getEarlyTcbEvaluationDataNumber

Retrieves the early TCB evaluation data number for a given TCB ID.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

Returns:

• uint32: Early TCB evaluation data number

getStandardTcbEvaluationDataNumber

Retrieves the standard TCB evaluation data number for a given TCB ID.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

Returns:

• uint32: Standard TCB evaluation data number

getEarlyTcbEvaluationDataNumberWithTimestamp

Retrieves the early TCB evaluation data number valid at a specific timestamp.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

• timestamp (uint64): Unix timestamp for validity check

Returns:

• uint32: Early TCB evaluation data number

getStandardTcbEvaluationDataNumberWithTimestamp

Retrieves the standard TCB evaluation data number valid at a specific timestamp.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

• timestamp (uint64): Unix timestamp for validity check

Returns:

• uint32: Standard TCB evaluation data number

QE Identity

getQeIdentity

Retrieves the QE (Quoting Enclave) identity object in Solidity-friendly format.

Parameters:

• id (EnclaveId): Enclave identifier

• pcsApiVersion (uint256): PCS API version

• tcbEval (uint32): TCB evaluation data number

Returns:

• identity (IdentityObj): Decoded identity object with native Solidity types

getQeIdentityContentHash

Retrieves the content hash of the QE identity data.

Parameters:

• id (EnclaveId): Enclave identifier

• pcsApiVersion (uint256): PCS API version

• tcbEval (uint32): TCB evaluation data number

Returns:

• contentHash (bytes32): Hash of the identity content

getQeIdentityContentHashWithTimestamp

Retrieves the content hash of the QE identity data valid at a specific timestamp.

Parameters:

• id (EnclaveId): Enclave identifier

• pcsApiVersion (uint256): PCS API version

• tcbEval (uint32): TCB evaluation data number

• timestamp (uint64): Unix timestamp for validity check

Returns:

• contentHash (bytes32): Hash of the identity content

FMSPC TCB Information

getFmspcTcbV2

Retrieves TCB levels for a given FMSPC using TCB Info V2 format.

Parameters:

• fmspc (bytes6): FMSPC (Family-Model-Stepping-Platform-Custom SKU) identifier

• tcbEval (uint32): TCB evaluation data number

Returns:

• tcbLevelsV2 (TCBLevelsObj[]): Array of TCB level objects in V2 format

getFmspcTcbV3

Retrieves TCB levels for a given FMSPC using TCB Info V3 format, including TDX module information.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

• fmspc (bytes6): FMSPC identifier

• tcbEval (uint32): TCB evaluation data number

Returns:

• tcbLevelsV3 (TCBLevelsObj[]): Array of TCB level objects in V3 format

• tdxModule (TDXModule): TDX module information

• tdxModuleIdentities (TDXModuleIdentity[]): Array of TDX module identities

getFmspcTcbContentHash

Retrieves the content hash of the FMSPC TCB information.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

• fmspc (bytes6): FMSPC identifier

• version (uint32): TCB Info version (2 or 3)

• tcbEval (uint32): TCB evaluation data number

Returns:

• contentHash (bytes32): Hash of the TCB info content

getFmspcTcbContentHashWithTimestamp

Retrieves the content hash of the FMSPC TCB information valid at a specific timestamp.

Parameters:

• id (TcbId): TCB identifier (SGX or TDX)

• fmspc (bytes6): FMSPC identifier

• version (uint32): TCB Info version (2 or 3)

• tcbEval (uint32): TCB evaluation data number

• timestamp (uint64): Unix timestamp for validity check

Returns:

• contentHash (bytes32): Hash of the TCB info content

PCK Certificate

getPckCert

Retrieves the PCK (Provisioning Certification Key) certificate. Note: No expiration check is performed.

Parameters:

• qeid (string): QE ID in hexadecimal string format

• platformCpuSvn (string): Platform CPU SVN in hexadecimal string format

• platformPceSvn (string): Platform PCE SVN in hexadecimal string format

• pceid (string): PCE ID in hexadecimal string format

Returns:

• pckDer (bytes): DER-encoded PCK certificate

PCS Certificates and CRLs

getCert

Retrieves an X.509 certificate for the specified Certificate Authority.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

• x509Der (bytes): DER-encoded X.509 certificate

getCrl

Retrieves the Certificate Revocation List for the specified Certificate Authority.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

• x509CrlDer (bytes): DER-encoded X.509 CRL

getCertHash

Retrieves the hash of the X.509 certificate for the specified Certificate Authority.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

• hash (bytes32): Hash of the certificate

getCrlHash

Retrieves the hash of the Certificate Revocation List for the specified Certificate Authority.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

• hash (bytes32): Hash of the CRL

getCertHashWithTimestamp

Retrieves the hash of the X.509 certificate valid at a specific timestamp.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

• timestamp (uint64): Unix timestamp for validity check

Returns:

• hash (bytes32): Hash of the certificate

getCrlHashWithTimestamp

Retrieves the hash of the Certificate Revocation List valid at a specific timestamp.

Parameters:

• ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

• timestamp (uint64): Unix timestamp for validity check

Returns:

• hash (bytes32): Hash of the CRL

Events

SetCallerAuthorization

Emitted when an address is authorized or unauthorized to call the router.

Parameters:

• caller (address): The address being authorized/unauthorized

• authorized (bool): True if authorized, false if revoked

UpdateCallerRestriction

Emitted when caller restriction mode is enabled or disabled.

Parameters:

• restricted (bool): True if restriction is enabled, false if disabled

UpdateConfig

Emitted when the core DAO and helper contract addresses are updated.

Parameters:

• pcs (address): PcsDao contract address

• pck (address): PckDao contract address

• x509 (address): PCK helper contract address

• x509Crl (address): CRL helper contract address

• tcbHelper (address): FmspcTcbHelper contract address

UpdateQeIdDaoVersionedAddr

Emitted when a versioned QE Identity DAO address is set.

Parameters:

• tcbEval (uint32): TCB evaluation data number

• addr (address): Address of the versioned EnclaveIdentityDao

UpdateFmspcTcbDaoVersionedAddr

Emitted when a versioned FMSPC TCB DAO address is set.

Parameters:

• tcbEval (uint32): TCB evaluation data number

• addr (address): Address of the versioned FmspcTcbDao

Reverts