PCCS Router

Important Note for Smart Contract Developers

Solidity smart contracts are strongly encouraged to fetch collaterals from the PCCS Router rather than directly from individual DAOs. The PCCS Router provides several key advantages:

  • Solidity-friendly types: Returns data in native Solidity types instead of raw JSON types, making integration simpler and more efficient

  • Single address management: Only need to track one router address instead of managing multiple DAO addresses

  • Version management: Automatically routes to the correct versioned DAOs based on TCB evaluation data numbers

  • Consistent interface: Provides a unified API for accessing all PCCS collaterals

Summary

The PCCS Router contract is the recommended interface for contracts wanting to read collaterals from Onchain PCCS. It ensures that callers are always pointing to the most up-to-date PCCS DAOs and returns all collateral data in Solidity-friendly types. The router manages access to multiple versioned DAOs including TcbEvalDao, PcsDao, PckDao, EnclaveIdentityDao (versioned by TCB evaluation data number), and FmspcTcbDao (versioned by TCB evaluation data number).

Methods

Admin Configurable Methods

setConfig

function setConfig(
    address _tcbEval,
    address _pcs,
    address _pck,
    address _x509,
    address _x509Crl,
    address _tcbHelper
) external onlyOwner

Updates the addresses of the core DAO and helper contracts.

Parameters:

  • _tcbEval (address): Address of the TcbEvalDao contract

  • _pcs (address): Address of the PcsDao contract

  • _pck (address): Address of the PckDao contract

  • _x509 (address): Address of the PCK helper contract for X.509 certificate parsing

  • _x509Crl (address): Address of the CRL helper contract

  • _tcbHelper (address): Address of the FmspcTcbHelper contract (for TCBInfo parsing)

setQeIdDaoVersionedAddr

function setQeIdDaoVersionedAddr(uint32 tcbEval, address addr) external onlyOwner

Sets the address for a specific TCB evaluation number version of the QE Identity DAO.

Parameters:

  • tcbEval (uint32): TCB evaluation data number

  • addr (address): Address of the versioned EnclaveIdentityDao contract

Validation:

  • Verifies that the DAO's TCB_EVALUATION_NUMBER() matches the provided tcbEval parameter

setFmspcTcbDaoVersionedAddr

function setFmspcTcbDaoVersionedAddr(uint32 tcbEval, address addr) external onlyOwner

Sets the address for a specific TCB evaluation number version of the FMSPC TCB DAO.

Parameters:

  • tcbEval (uint32): TCB evaluation data number

  • addr (address): Address of the versioned FmspcTcbDao contract

Validation:

  • Verifies that the DAO's TCB_EVALUATION_NUMBER() matches the provided tcbEval parameter

setAuthorized

function setAuthorized(address caller, bool authorized) external onlyOwner

Authorizes or revokes authorization for a specific caller address.

Parameters:

  • caller (address): Address to authorize or revoke

  • authorized (bool): True to authorize, false to revoke

enableCallerRestriction

function enableCallerRestriction() external onlyOwner

Enables caller restriction mode, where only authorized addresses can call getter methods.

disableCallerRestriction

function disableCallerRestriction() external onlyOwner

Disables caller restriction mode, allowing any address to call getter methods.

Getter Methods for Fetching Collaterals

TCB Evaluation Data Number

getEarlyTcbEvaluationDataNumber

function getEarlyTcbEvaluationDataNumber(TcbId id) external view returns (uint32)

Retrieves the early TCB evaluation data number for a given TCB ID.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

Returns:

  • uint32: Early TCB evaluation data number

getStandardTcbEvaluationDataNumber

function getStandardTcbEvaluationDataNumber(TcbId id) external view returns (uint32)

Retrieves the standard TCB evaluation data number for a given TCB ID.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

Returns:

  • uint32: Standard TCB evaluation data number

getEarlyTcbEvaluationDataNumberWithTimestamp

function getEarlyTcbEvaluationDataNumberWithTimestamp(TcbId id, uint64 timestamp) external view returns (uint32)

Retrieves the early TCB evaluation data number valid at a specific timestamp.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • uint32: Early TCB evaluation data number

getStandardTcbEvaluationDataNumberWithTimestamp

function getStandardTcbEvaluationDataNumberWithTimestamp(TcbId id, uint64 timestamp) external view returns (uint32)

Retrieves the standard TCB evaluation data number valid at a specific timestamp.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • uint32: Standard TCB evaluation data number

QE Identity

getQeIdentity

function getQeIdentity(EnclaveId id, uint256 pcsApiVersion, uint32 tcbEval) external view returns (IdentityObj memory identity)

Retrieves the QE (Quoting Enclave) identity object in Solidity-friendly format.

Parameters:

  • id (EnclaveId): Enclave identifier

  • pcsApiVersion (uint256): PCS API version

  • tcbEval (uint32): TCB evaluation data number

Returns:

  • identity (IdentityObj): Decoded identity object with native Solidity types

getQeIdentityContentHash

function getQeIdentityContentHash(EnclaveId id, uint256 pcsApiVersion, uint32 tcbEval) external view returns (bytes32 contentHash)

Retrieves the content hash of the QE identity data.

Parameters:

  • id (EnclaveId): Enclave identifier

  • pcsApiVersion (uint256): PCS API version

  • tcbEval (uint32): TCB evaluation data number

Returns:

  • contentHash (bytes32): Hash of the identity content

getQeIdentityContentHashWithTimestamp

function getQeIdentityContentHashWithTimestamp(
    EnclaveId id,
    uint256 pcsApiVersion,
    uint32 tcbEval,
    uint64 timestamp
) external view returns (bytes32 contentHash)

Retrieves the content hash of the QE identity data valid at a specific timestamp.

Parameters:

  • id (EnclaveId): Enclave identifier

  • pcsApiVersion (uint256): PCS API version

  • tcbEval (uint32): TCB evaluation data number

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • contentHash (bytes32): Hash of the identity content

FMSPC TCB Information

getFmspcTcbV2

function getFmspcTcbV2(bytes6 fmspc, uint32 tcbEval) external view returns (TCBLevelsObj[] memory tcbLevelsV2)

Retrieves TCB levels for a given FMSPC using TCB Info V2 format.

Parameters:

  • fmspc (bytes6): FMSPC (Family-Model-Stepping-Platform-Custom SKU) identifier

  • tcbEval (uint32): TCB evaluation data number

Returns:

  • tcbLevelsV2 (TCBLevelsObj[]): Array of TCB level objects in V2 format

getFmspcTcbV3

function getFmspcTcbV3(TcbId id, bytes6 fmspc, uint32 tcbEval) external view returns (
    TCBLevelsObj[] memory tcbLevelsV3,
    TDXModule memory tdxModule,
    TDXModuleIdentity[] memory tdxModuleIdentities
)

Retrieves TCB levels for a given FMSPC using TCB Info V3 format, including TDX module information.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

  • fmspc (bytes6): FMSPC identifier

  • tcbEval (uint32): TCB evaluation data number

Returns:

  • tcbLevelsV3 (TCBLevelsObj[]): Array of TCB level objects in V3 format

  • tdxModule (TDXModule): TDX module information

  • tdxModuleIdentities (TDXModuleIdentity[]): Array of TDX module identities

getFmspcTcbContentHash

function getFmspcTcbContentHash(TcbId id, bytes6 fmspc, uint32 version, uint32 tcbEval) external view returns (bytes32 contentHash)

Retrieves the content hash of the FMSPC TCB information.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

  • fmspc (bytes6): FMSPC identifier

  • version (uint32): TCB Info version (2 or 3)

  • tcbEval (uint32): TCB evaluation data number

Returns:

  • contentHash (bytes32): Hash of the TCB info content

getFmspcTcbContentHashWithTimestamp

function getFmspcTcbContentHashWithTimestamp(
    TcbId id,
    bytes6 fmspc,
    uint32 version,
    uint32 tcbEval,
    uint64 timestamp
) external view returns (bytes32 contentHash)

Retrieves the content hash of the FMSPC TCB information valid at a specific timestamp.

Parameters:

  • id (TcbId): TCB identifier (SGX or TDX)

  • fmspc (bytes6): FMSPC identifier

  • version (uint32): TCB Info version (2 or 3)

  • tcbEval (uint32): TCB evaluation data number

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • contentHash (bytes32): Hash of the TCB info content

PCK Certificate

getPckCert

function getPckCert(
    string calldata qeid,
    string calldata platformCpuSvn,
    string calldata platformPceSvn,
    string calldata pceid
) external view returns (bytes memory pckDer)

Retrieves the PCK (Provisioning Certification Key) certificate. Note: No expiration check is performed.

Parameters:

  • qeid (string): QE ID in hexadecimal string format

  • platformCpuSvn (string): Platform CPU SVN in hexadecimal string format

  • platformPceSvn (string): Platform PCE SVN in hexadecimal string format

  • pceid (string): PCE ID in hexadecimal string format

Returns:

  • pckDer (bytes): DER-encoded PCK certificate

PCS Certificates and CRLs

getCert

function getCert(CA ca) external view returns (bytes memory x509Der)

Retrieves an X.509 certificate for the specified Certificate Authority.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

  • x509Der (bytes): DER-encoded X.509 certificate

getCrl

function getCrl(CA ca) external view returns (bytes memory x509CrlDer)

Retrieves the Certificate Revocation List for the specified Certificate Authority.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

  • x509CrlDer (bytes): DER-encoded X.509 CRL

getCertHash

function getCertHash(CA ca) external view returns (bytes32 hash)

Retrieves the hash of the X.509 certificate for the specified Certificate Authority.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

  • hash (bytes32): Hash of the certificate

getCrlHash

function getCrlHash(CA ca) external view returns (bytes32 hash)

Retrieves the hash of the Certificate Revocation List for the specified Certificate Authority.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

Returns:

  • hash (bytes32): Hash of the CRL

getCertHashWithTimestamp

function getCertHashWithTimestamp(CA ca, uint64 timestamp) external view returns (bytes32 hash)

Retrieves the hash of the X.509 certificate valid at a specific timestamp.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • hash (bytes32): Hash of the certificate

getCrlHashWithTimestamp

function getCrlHashWithTimestamp(CA ca, uint64 timestamp) external view returns (bytes32 hash)

Retrieves the hash of the Certificate Revocation List valid at a specific timestamp.

Parameters:

  • ca (CA): Certificate Authority type (ROOT, SIGNING, PROCESSOR, or PLATFORM)

  • timestamp (uint64): Unix timestamp for validity check

Returns:

  • hash (bytes32): Hash of the CRL

Events

SetCallerAuthorization

event SetCallerAuthorization(address caller, bool authorized)

Emitted when an address is authorized or unauthorized to call the router.

Parameters:

  • caller (address): The address being authorized/unauthorized

  • authorized (bool): True if authorized, false if revoked

UpdateCallerRestriction

event UpdateCallerRestriction(bool restricted)

Emitted when caller restriction mode is enabled or disabled.

Parameters:

  • restricted (bool): True if restriction is enabled, false if disabled

UpdateConfig

event UpdateConfig(
    address pcs,
    address pck,
    address x509,
    address x509Crl,
    address tcbHelper
)

Emitted when the core DAO and helper contract addresses are updated.

Parameters:

  • pcs (address): PcsDao contract address

  • pck (address): PckDao contract address

  • x509 (address): PCK helper contract address

  • x509Crl (address): CRL helper contract address

  • tcbHelper (address): FmspcTcbHelper contract address

UpdateQeIdDaoVersionedAddr

event UpdateQeIdDaoVersionedAddr(uint32 tcbEval, address addr)

Emitted when a versioned QE Identity DAO address is set.

Parameters:

  • tcbEval (uint32): TCB evaluation data number

  • addr (address): Address of the versioned EnclaveIdentityDao

UpdateFmspcTcbDaoVersionedAddr

event UpdateFmspcTcbDaoVersionedAddr(uint32 tcbEval, address addr)

Emitted when a versioned FMSPC TCB DAO address is set.

Parameters:

  • tcbEval (uint32): TCB evaluation data number

  • addr (address): Address of the versioned FmspcTcbDao

Reverts

Error
Selector
Notes

TcbEvalExpiredOrNotFound(TcbId id)

a78bf21a

TCB evaluation data is expired or not found

QEIdentityExpiredOrNotFound(EnclaveId id, uint256 pcsApiVersion)

0a2a9142

QE identity is expired or not found for the specified parameters

FmspcTcbExpiredOrNotFound(TcbId id, uint256 tcbVersion)

343385cf

FMSPC TCB information is expired or not found

TcbEvalNumberMismatch()

5705a2ef

The DAO's TCB evaluation data number doesn't match the expected value

CertExpiredOrNotFound(CA ca)

cc16ebed

Certificate is expired or not found for the specified CA

CrlExpiredOrNotFound(CA ca)

482b7129

CRL is expired or not found for the specified CA

PckNotFound()

e2990eed

PCK certificate not found for the specified parameters

Forbidden()

ee90c468

Caller is not authorized when restriction mode is enabled

PreviousAutomata DCAP AttestationNextContract Address

Last updated

Was this helpful?