Automata PCK DAO

Summary

The PckDao contract manages onchain storage and retrieval of Intel PCK (Provisioning Certification Key) Certificates. It handles PCK certificate data indexed by QE ID, PCE ID, and TCBm (TCB measurement), providing methods to upsert and query PCK certificates with signature verification. This contract also manages platform TCB mappings that associate raw TCB values with attested TCBm values.

Methods

getCert

function getCert(
    string calldata qeid,
    string calldata platformCpuSvn,
    string calldata platformPceSvn,
    string calldata pceid
) external view returns (bytes memory pckCert)

Gets the PCK certificate for a specific platform identified by QE ID, PCE ID, and platform TCB values.

Parameters:

• qeid (string): Quoting Enclave ID as hex string
• platformCpuSvn (string): Platform CPU SVN as hex string
• platformPceSvn (string): Platform PCE SVN as hex string
• pceid (string): Platform Configuration Enclave ID as hex string

Returns:

• pckCert (bytes): DER-encoded PCK Certificate

getCerts

function getCerts(string calldata qeid, string calldata pceid)
    external
    view
    returns (string[] memory tcbms, bytes[] memory pckCerts)

Gets all available PCK certificates and their corresponding TCBm values for a platform identified by QE ID and PCE ID.

Parameters:

• qeid (string): Quoting Enclave ID as hex string
• pceid (string): Platform Configuration Enclave ID as hex string

Returns:

• tcbms (string[]): Array of TCBm values as hex strings
• pckCerts (bytes[]): Array of DER-encoded PCK Certificates

getPlatformTcbByIdAndSvns

function getPlatformTcbByIdAndSvns(
    string calldata qeid,
    string calldata pceid,
    string calldata platformCpuSvn,
    string calldata platformPceSvn
) external view returns (string memory tcbm)

Fetches the mapping from raw TCB values to an attested TCBm value for a specific platform.

Parameters:

• qeid (string): Quoting Enclave ID as hex string
• pceid (string): Platform Configuration Enclave ID as hex string
• platformCpuSvn (string): Platform CPU SVN as hex string
• platformPceSvn (string): Platform PCE SVN as hex string

Returns:

• tcbm (string): The mapped TCBm value as hex string

upsertPckCert

function upsertPckCert(
    CA ca,
    string calldata qeid,
    string calldata pceid,
    string calldata tcbm,
    bytes calldata cert
) external returns (bytes32 attestationId)

Upserts (inserts or updates) a PCK certificate onchain with signature verification, revocation checking, and rollback protection.

Parameters:

• ca (CA): Certificate Authority type - CA.PROCESSOR or CA.PLATFORM
• qeid (string): Quoting Enclave ID as hex string
• pceid (string): Platform Configuration Enclave ID as hex string
• tcbm (string): TCBm value as hex string (concatenation of CPU SVN and PCE SVN)
• cert (bytes): DER-encoded PCK Leaf Certificate

Returns:

• attestationId (bytes32): The attestation ID returned by the resolver

upsertPlatformTcbs

function upsertPlatformTcbs(
    string calldata qeid,
    string calldata pceid,
    string calldata platformCpuSvn,
    string calldata platformPceSvn,
    string calldata tcbm
) external returns (bytes32)

Creates a mapping from raw TCB values (platform CPU SVN and PCE SVN) to a known attested TCBm value.

Parameters:

• qeid (string): Quoting Enclave ID as hex string
• pceid (string): Platform Configuration Enclave ID as hex string
• platformCpuSvn (string): Platform CPU SVN as hex string
• platformPceSvn (string): Platform PCE SVN as hex string
• tcbm (string): TCBm value as hex string to map to

Returns:

• (bytes32): Always returns bytes32(0)

getPckCertChain

function getPckCertChain(CA ca)
    external
    view
    returns (bytes memory intermediateCert, bytes memory rootCert)

Queries the PCK certificate issuer chain for the specified Certificate Authority type.

Parameters:

• ca (CA): Certificate Authority type - CA.PROCESSOR or CA.PLATFORM

Returns:

• intermediateCert (bytes): DER-encoded intermediate PCK CA certificate
• rootCert (bytes): DER-encoded Intel SGX Root CA certificate

Reverts