Does the implementation support using TDX quote verification collateral within the Policy?

[bodzhang]

Intel TDX Migration TD Design Guide section 5.2 mentions “MigTD Default Policy” ... For example, the TCB SVN or QE certificate expired date. The trust anchor ... “Intel Root CA Cert” and Certificate Revocation List (CRL) shall also be included... as part of migration policy.” Does the current MigTD implementation support that?

The QVL dependency for MigTD Readme states that a config file for the Intel(R) SGX default Collateral Network Library (qcnl) specifies the URLs for the QVL to retrieve TDX Quote verification collaterals. Does the MigTD implementation use a qcnl configuration file pointing to the Policy file somehow?

[jyao1]

1. Intel Root CA Cert is part of individual file in MigTD CFV binary. It is extended to RTMR[2].
   CRL is NOT included in the MigTD CFV Binary, but it is got as part of Quote Verification collaterals at runtime.
   (I will update the document.)

2. MigTD does not use the qcnl config file. Quote Verification lib just uses the default link.

If you have different idea or some new proposal, we can discuss as the next step.

[bodzhang]

Intel TDX Migration TD Design Guide states that CRL shall be included in the Policy. In fact, I think all the verification collaterals, including TCBINFO, QEIdentity and CRL can be part of the Policy, which is extended to MigTD RTMR[2] to be reflected in Migratable TD's Attestation.

[jyao1]

@bodzhang , you feedback is received.