@inco/lightning 0.3.2 → 0.5.0

package/src/Lib.sol

@@ -5,12 +5,11 @@
 /// SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
-import "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, isTypeSupported } from "./Types.sol";
+import { IncoLightning } from "./IncoLightning.sol";
+import { ebool, euint256, eaddress, ETypes } from "./Types.sol";
 
 IncoLightning constant inco = IncoLightning(0x63D8135aF4D393B1dB43B649010c8D3EE19FC9fd);
 address constant deployedBy = 0x8202D2D747784Cb7D48868E44C42C4bf162a70BC;
-uint256 constant defaultDecryptionDelayLimit = 2 hours;
 
 function typeOf(bytes32 handle) pure returns (ETypes) {
     return ETypes(uint8(uint256(handle) >> 8));
@@ -410,6 +409,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }
@@ -437,16 +448,4 @@ library e {
     function select(ebool control, eaddress ifTrue, eaddress ifFalse) internal returns (eaddress) {
         return eaddress.wrap(inco.eIfThenElse(s(control), eaddress.unwrap(s(ifTrue)), eaddress.unwrap(s(ifFalse))));
     }
-
-    function requestDecryption(euint256 a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, euint256.unwrap(s(a)), callbackData);
-    }
-
-    function requestDecryption(ebool a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, ebool.unwrap(s(a)), callbackData);
-    }
-
-    function requestDecryption(eaddress a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, eaddress.unwrap(s(a)), callbackData);
-    }
 }

package/src/Lib.template.sol

@@ -2,16 +2,14 @@
 // SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
-import "./IncoLightning.sol";
-import {ebool, euint256, eaddress, ETypes, isTypeSupported} from "./Types.sol";
+import {IncoLightning} from "./IncoLightning.sol";
+import {ebool, euint256, eaddress, ETypes} from "./Types.sol";
 
 IncoLightning constant inco = IncoLightning(
     0x000000000000000000000000000000000000baBe
 );
 address constant deployedBy = 0x000000000000000000000000000000000000baBe;
 
-uint256 constant defaultDecryptionDelayLimit = 2 hours;
-
 function typeOf(bytes32 handle) pure returns (ETypes) {
     return ETypes(uint8(uint256(handle) >> 8));
 }
@@ -444,6 +442,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }
@@ -459,7 +469,7 @@ library e {
     function isAllowed(address user, euint256 a) internal view returns (bool) {
         return inco.isAllowed(euint256.unwrap(a), user);
     }
-    
+
     function select(
         ebool control,
         euint256 ifTrue,
@@ -504,43 +514,4 @@ library e {
                 )
             );
     }
-
-    function requestDecryption(
-        euint256 a,
-        bytes4 callbackSelector,
-        bytes memory callbackData
-    ) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(
-            callbackSelector,
-            block.timestamp + defaultDecryptionDelayLimit,
-            euint256.unwrap(s(a)),
-            callbackData
-        );
-    }
-
-    function requestDecryption(
-        ebool a,
-        bytes4 callbackSelector,
-        bytes memory callbackData
-    ) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(
-            callbackSelector,
-            block.timestamp + defaultDecryptionDelayLimit,
-            ebool.unwrap(s(a)),
-            callbackData
-        );
-    }
-
-    function requestDecryption(
-        eaddress a,
-        bytes4 callbackSelector,
-        bytes memory callbackData
-    ) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(
-            callbackSelector,
-            block.timestamp + defaultDecryptionDelayLimit,
-            eaddress.unwrap(s(a)),
-            callbackData
-        );
-    }
 }

package/src/Lib.testnet.sol

@@ -5,12 +5,11 @@
 /// SPDX-License-Identifier: No License
 pragma solidity ^0.8;
 
-import "./IncoLightning.sol";
-import { ebool, euint256, eaddress, ETypes, isTypeSupported } from "./Types.sol";
+import { IncoLightning } from "./IncoLightning.sol";
+import { ebool, euint256, eaddress, ETypes } from "./Types.sol";
 
 IncoLightning constant inco = IncoLightning(0x63D8135aF4D393B1dB43B649010c8D3EE19FC9fd);
 address constant deployedBy = 0x8202D2D747784Cb7D48868E44C42C4bf162a70BC;
-uint256 constant defaultDecryptionDelayLimit = 2 hours;
 
 function typeOf(bytes32 handle) pure returns (ETypes) {
     return ETypes(uint8(uint256(handle) >> 8));
@@ -410,6 +409,18 @@ library e {
         inco.allow(eaddress.unwrap(a), to);
     }
 
+    function reveal(euint256 a) internal {
+        inco.reveal(euint256.unwrap(a));
+    }
+
+    function reveal(ebool a) internal {
+        inco.reveal(ebool.unwrap(a));
+    }
+
+    function reveal(eaddress a) internal {
+        inco.reveal(eaddress.unwrap(a));
+    }
+
     function allowThis(euint256 a) internal {
         allow(a, address(this));
     }
@@ -437,16 +448,4 @@ library e {
     function select(ebool control, eaddress ifTrue, eaddress ifFalse) internal returns (eaddress) {
         return eaddress.wrap(inco.eIfThenElse(s(control), eaddress.unwrap(s(ifTrue)), eaddress.unwrap(s(ifFalse))));
     }
-
-    function requestDecryption(euint256 a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, euint256.unwrap(s(a)), callbackData);
-    }
-
-    function requestDecryption(ebool a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, ebool.unwrap(s(a)), callbackData);
-    }
-
-    function requestDecryption(eaddress a, bytes4 callbackSelector, bytes memory callbackData) internal returns (uint256 requestId) {
-        requestId = inco.requestDecryption(callbackSelector, block.timestamp + defaultDecryptionDelayLimit, eaddress.unwrap(s(a)), callbackData);
-    }
 }

package/src/Types.sol

@@ -108,6 +108,13 @@ pragma solidity ^0.8;
 string constant EVM_HOST_CHAIN_PREFIX = "evm/";
 uint8 constant HANDLE_VERSION = 0;
 
+// used to make sure a verifier contract is checking allowance access on purpose, using a bytes4 or bool return type
+// can lead to forging allowance vouchers using contract calls meant for an unrelated purpose, which lead to access
+// theft. Its a common pattern, notably used in EIP1271 (Signature Validation Procedure for Contracts)
+bytes32 constant ALLOWANCE_GRANTED_MAGIC_VALUE = keccak256(
+    "Inco Read Access on Provided Handle is Granted"
+);
+
 // IncoLightning only supports single-valued ciphertexts so this is always 0
 // NOTE: this must be a uint8 to get hash agreement!
 uint8 constant HANDLE_INDEX = 0;

package/src/interfaces/IIncoLightning.sol

@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {IEncryptedInput} from "../lightning-parts/interfaces/IEncryptedInput.sol";
+import {IEncryptedOperations} from "../lightning-parts/interfaces/IEncryptedOperations.sol";
+import {ITrivialEncryption} from "../lightning-parts/interfaces/ITrivialEncryption.sol";
+import {IBaseAccessControlList} from "../lightning-parts/AccessControl/interfaces/IBaseAccessControlList.sol";
+import {IHandleGeneration} from "../lightning-parts/primitives/interfaces/IHandleGeneration.sol";
+import {IVersion} from "../version/interfaces/IVersion.sol";
+
+interface IIncoLightning is
+    IEncryptedInput,
+    IEncryptedOperations,
+    ITrivialEncryption,
+    IBaseAccessControlList,
+    IHandleGeneration,
+    IVersion
+{
+    function initialize(address owner) external;
+}

package/src/interfaces/IIncoVerifier.sol

@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {IAdvancedAccessControl} from "../lightning-parts/AccessControl/interfaces/IAdvancedAccessControl.sol";
+import {IDecryptionAttester} from "../lightning-parts/interfaces/IDecryptionAttester.sol";
+import {ITEELifecycle} from "../lightning-parts/interfaces/ITEELifecycle.sol";
+import {IQuoteVerifier} from "./automata-interfaces/IQuoteVerifier.sol";
+import {ISignatureVerifier} from "../lightning-parts/primitives/interfaces/ISignatureVerifier.sol";
+
+interface IIncoVerifier is
+    IAdvancedAccessControl,
+    IDecryptionAttester,
+    ITEELifecycle,
+    ISignatureVerifier
+{
+    function initialize(
+        address owner,
+        string memory name,
+        string memory version,
+        IQuoteVerifier quoteVerifier
+    ) external;
+    function getEIP712Name() external view returns (string memory);
+    function getEIP712Version() external view returns (string memory);
+}

package/src/interfaces/automata-interfaces/BELE.sol

@@ -0,0 +1,20 @@
+//SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+/**
+ * @notice Converts a little-endian encoded bytes to a big-endian uint256 integer
+ */
+library BELE {
+    function leBytesToBeUint(bytes memory encoded) internal pure returns (uint256 decoded) {
+        for (uint256 i = 0; i < encoded.length; i++) {
+            uint256 digits = uint256(uint8(bytes1(encoded[i])));
+            uint256 upperDigit = digits / 16;
+            uint256 lowerDigit = digits % 16;
+
+            uint256 acc = lowerDigit * (16 ** (2 * i));
+            acc += upperDigit * (16 ** ((2 * i) + 1));
+
+            decoded += acc;
+        }
+    }
+}

package/src/interfaces/automata-interfaces/IAutomataEnclaveIdentityDao.sol

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8;
+
+import {EnclaveIdentityJsonObj, IdentityObj} from "./Types.sol";
+
+// only the functions we need have been included here
+interface IEnclaveIdentityHelper {
+    function parseIdentityString(
+        string calldata identityStr
+    )
+        external
+        pure
+        returns (IdentityObj memory identity, string memory identityTcbString);
+}
+
+// only the functions we need have been included here
+interface IAutomataEnclaveIdentityDao {
+    function upsertEnclaveIdentity(
+        uint256 id,
+        uint256 version,
+        EnclaveIdentityJsonObj calldata enclaveIdentityObj
+    ) external returns (bytes32 attestationId);
+
+    function EnclaveIdentityLib()
+        external
+        view
+        returns (IEnclaveIdentityHelper);
+}

package/src/interfaces/automata-interfaces/IFmspcTcbDao.sol

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {TcbInfoJsonObj} from "./Types.sol";
+
+interface IFmspcTcbDao {
+    function upsertFmspcTcb(
+        TcbInfoJsonObj calldata tcbInfoObj
+    ) external returns (bytes32 attestationId);
+}

package/src/interfaces/automata-interfaces/IPCCSRouter.sol

@@ -0,0 +1,94 @@
+//SPDX-License-Identifier: MIT
+pragma solidity >=0.8.0;
+
+import {
+    EnclaveIdentityJsonObj,
+    IdentityObj,
+    EnclaveId,
+    CA,
+    TcbInfoJsonObj,
+    TCBLevelsObj,
+    TcbInfoBasic,
+    TcbId,
+    TDXModule,
+    TDXModuleIdentity
+} from "./Types.sol";
+
+/**
+ * @title PCCS Router Interface
+ * @notice The PCCS Router is a central contract that serves all other contracts in the network
+ * to fetch collaterals from the On Chain PCCS
+ */
+interface IPCCSRouter {
+    function qeIdDaoAddr() external view returns (address);
+
+    function fmspcTcbDaoAddr() external view returns (address);
+
+    function pckDaoAddr() external view returns (address);
+
+    function pcsDaoAddr() external view returns (address);
+
+    function pckHelperAddr() external view returns (address);
+
+    function crlHelperAddr() external view returns (address);
+
+    function fmspcTcbHelperAddr() external view returns (address);
+
+    function getQeIdentity(
+        EnclaveId id,
+        uint256 quoteVersion
+    ) external view returns (IdentityObj memory);
+
+    function getQeIdentityContentHash(
+        EnclaveId id,
+        uint256 version
+    ) external view returns (bytes32);
+
+    function getFmspcTcbV2(
+        bytes6 fmspc
+    ) external view returns (TCBLevelsObj[] memory);
+
+    function getFmspcTcbV3(
+        TcbId id,
+        bytes6 fmspc
+    )
+        external
+        view
+        returns (
+            TCBLevelsObj[] memory,
+            TDXModule memory,
+            TDXModuleIdentity[] memory
+        );
+
+    function getFmspcTcbContentHash(
+        TcbId id,
+        bytes6 fmspc,
+        uint32 version
+    ) external view returns (bytes32);
+
+    function getPckCert(
+        string calldata qeid,
+        string calldata platformCpuSvn,
+        string calldata platformPceSvn,
+        string calldata pceid
+    ) external view returns (bytes memory);
+
+    function getCert(CA ca) external view returns (bytes memory);
+
+    function getCrl(CA ca) external view returns (bytes memory);
+
+    function getCertHash(CA ca) external view returns (bytes32);
+
+    function getCrlHash(CA ca) external view returns (bytes32);
+
+    // *withTimestamp() methods to check collateral expiration status based on the provided timestamp
+    function getCertHashWithTimestamp(
+        CA ca,
+        uint64 timestamp
+    ) external view returns (bytes32);
+
+    function getCrlHashWithTimestamp(
+        CA ca,
+        uint64 timestamp
+    ) external view returns (bytes32);
+}

package/src/interfaces/automata-interfaces/IPCCSRouterExtended.sol

@@ -0,0 +1,10 @@
+// SPDX-License-Identifier: No License
+pragma solidity ^0.8;
+
+import {IPCCSRouter} from "./IPCCSRouter.sol";
+
+/// @dev we declare this interface because the one exported from the automata-dcap-attestation package is missing some
+///      external functions.
+interface IPCCSRouterExtended is IPCCSRouter {
+    function setAuthorized(address caller, bool authorized) external;
+}

package/src/interfaces/automata-interfaces/IPcsDao.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import {CA} from "./Types.sol";
+
+interface IPcsDao {
+    function upsertPcsCertificates(
+        CA ca,
+        bytes calldata cert
+    ) external returns (bytes32 attestationId);
+    function upsertPckCrl(
+        CA ca,
+        bytes calldata crl
+    ) external returns (bytes32 attestationId);
+    function upsertRootCACrl(
+        bytes calldata rootcacrl
+    ) external returns (bytes32 attestationId);
+}

package/src/interfaces/automata-interfaces/IQuoteVerifier.sol

@@ -0,0 +1,34 @@
+//SPDX-License-Identifier: MIT
+pragma solidity >=0.8.0;
+
+import {IPCCSRouter} from "./IPCCSRouter.sol";
+import {Header} from "./Types.sol";
+
+/**
+ * @title Automata DCAP Quote Verifier
+ * @notice Provides the interface to implement version-specific verifiers
+ */
+interface IQuoteVerifier {
+    /**
+     * @dev this method must be immutable
+     * @return an instance of the PCCSRouter interface
+     */
+    function pccsRouter() external view returns (IPCCSRouter);
+
+    /**
+     * @notice the quote version supported by this verifier
+     */
+    function quoteVersion() external view returns (uint16);
+
+    function verifyQuote(
+        Header calldata,
+        bytes calldata
+    ) external view returns (bool, bytes memory);
+
+    /**
+     * @notice additional check on the public output obtained from the ZK Program execution
+     */
+    function verifyZkOutput(
+        bytes calldata
+    ) external view returns (bool, bytes memory);
+}

package/src/interfaces/automata-interfaces/Types.sol

@@ -0,0 +1,193 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+// https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/e7604e02331b3377f3766ed3653250e03af72d45/QuoteVerification/QVL/Src/AttestationLibrary/src/CertVerification/X509Constants.h#L64
+uint256 constant TCB_CPUSVN_SIZE = 16;
+
+enum TcbId {
+    /// the "id" field is absent from TCBInfo V2
+    /// which defaults TcbId to SGX
+    /// since TDX TCBInfos are only included in V3 or above
+    SGX,
+    TDX
+}
+
+/**
+ * @dev This is a simple representation of the TCBInfo.json in string as a Solidity object.
+ * @param tcbInfo: tcbInfoJson.tcbInfo string object body
+ * @param signature The signature to be passed as bytes array
+ */
+struct TcbInfoJsonObj {
+    string tcbInfoStr;
+    bytes signature;
+}
+
+/// @dev Solidity object representing TCBInfo.json excluding TCBLevels
+struct TcbInfoBasic {
+    /// the name "tcbType" can be confusing/misleading
+    /// as the tcbType referred here in this struct is the type
+    /// of TCB level composition that determines TCB level comparison logic
+    /// It is not the same as the "type" parameter passed as an argument to the
+    /// getTcbInfo() API method described in Section 4.2.3 of the Intel PCCS Design Document
+    /// Instead, getTcbInfo() "type" argument should be checked against the "id" value of this struct
+    /// which represents the TEE type for the given TCBInfo
+    uint8 tcbType;
+    TcbId id;
+    uint32 version;
+    uint64 issueDate;
+    uint64 nextUpdate;
+    uint32 evaluationDataNumber;
+    bytes6 fmspc;
+    bytes2 pceid;
+}
+
+struct TCBLevelsObj {
+    uint16 pcesvn;
+    uint8[] sgxComponentCpuSvns;
+    uint8[] tdxComponentCpuSvns;
+    uint64 tcbDateTimestamp;
+    TCBStatus status;
+    string[] advisoryIDs;
+}
+
+struct TDXModule {
+    bytes mrsigner; // 48 bytes
+    bytes8 attributes;
+    bytes8 attributesMask;
+}
+
+struct TDXModuleIdentity {
+    string id;
+    bytes8 attributes;
+    bytes8 attributesMask;
+    bytes mrsigner; // 48 bytes
+    TDXModuleTCBLevelsObj[] tcbLevels;
+}
+
+struct TDXModuleTCBLevelsObj {
+    uint8 isvsvn;
+    uint64 tcbDateTimestamp;
+    TCBStatus status;
+}
+
+enum TCBStatus {
+    OK,
+    TCB_SW_HARDENING_NEEDED,
+    TCB_CONFIGURATION_AND_SW_HARDENING_NEEDED,
+    TCB_CONFIGURATION_NEEDED,
+    TCB_OUT_OF_DATE,
+    TCB_OUT_OF_DATE_CONFIGURATION_NEEDED,
+    TCB_REVOKED,
+    TCB_UNRECOGNIZED
+}
+
+enum CA {
+    ROOT,
+    PROCESSOR,
+    PLATFORM,
+    SIGNING
+}
+
+enum EnclaveId {
+    QE,
+    QVE,
+    TD_QE
+}
+
+/**
+ * @dev This is a simple representation of the Identity.json in string as a Solidity object.
+ * @param identityStr Identity string object body. Needs to be parsed
+ * and converted as IdentityObj.
+ * @param signature The signature to be passed as bytes array
+ */
+struct EnclaveIdentityJsonObj {
+    string identityStr;
+    bytes signature;
+}
+
+/// @dev Full Solidity Object representation of Identity.json
+struct IdentityObj {
+    EnclaveId id;
+    uint32 version;
+    uint64 issueDateTimestamp; // UNIX Epoch Timestamp in seconds
+    uint64 nextUpdateTimestamp; // UNIX Epoch Timestamp in seconds
+    uint32 tcbEvaluationDataNumber;
+    bytes4 miscselect;
+    bytes4 miscselectMask;
+    bytes16 attributes;
+    bytes16 attributesMask;
+    bytes32 mrsigner;
+    uint16 isvprodid;
+    Tcb[] tcb;
+}
+
+enum EnclaveIdTcbStatus {
+    SGX_ENCLAVE_REPORT_ISVSVN_NOT_SUPPORTED,
+    OK,
+    SGX_ENCLAVE_REPORT_ISVSVN_REVOKED,
+    SGX_ENCLAVE_REPORT_ISVSVN_OUT_OF_DATE
+}
+
+struct Tcb {
+    uint16 isvsvn;
+    uint256 dateTimestamp;
+    EnclaveIdTcbStatus status;
+}
+
+/**
+ * @notice The Quote Header struct definition
+ * @dev https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/16b7291a7a86e486fdfcf1dfb4be885c0cc00b4e/Src/AttestationLibrary/src/QuoteVerification/QuoteStructures.h#L42-L53
+ * @dev Section A.3 of Intel V4 TDX DCAP API Library Documentation
+ */
+struct Header {
+    uint16 version; // LE -> BE
+    bytes2 attestationKeyType;
+    bytes4 teeType;
+    bytes2 qeSvn;
+    bytes2 pceSvn;
+    bytes16 qeVendorId;
+    bytes20 userData;
+}
+
+/**
+ * @notice V4 Intel TDX Quote uses this struct as the quote body
+ * @dev Section A.3.2 of Intel V4 TDX DCAP API Library Documentation
+ * @dev https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/QuoteVerification/QuoteStructures.h#L82-L103
+ */
+struct TD10ReportBody {
+    bytes16 teeTcbSvn;
+    bytes mrSeam; // 48 bytes
+    bytes mrsignerSeam; // 48 bytes
+    bytes8 seamAttributes;
+    bytes8 tdAttributes;
+    bytes8 xFAM;
+    bytes mrTd; // 48 bytes
+    bytes mrConfigId; // 48 bytes
+    bytes mrOwner; // 48 bytes
+    bytes mrOwnerConfig; // 48 bytes
+    bytes rtMr0; // 48 bytes
+    bytes rtMr1; // 48 bytes
+    bytes rtMr2; // 48 bytes
+    bytes rtMr3; // 48 bytes
+    bytes reportData; // 64 bytes
+}
+
+/// @dev https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/16b7291a7a86e486fdfcf1dfb4be885c0cc00b4e/Src/AttestationLibrary/src/QuoteVerification/QuoteConstants.h
+uint16 constant HEADER_LENGTH = 48;
+// bytes2 constant SUPPORTED_ATTESTATION_KEY_TYPE = 0x0200; // ECDSA_256_WITH_P256_CURVE (LE)
+// // TEE_TYPE are little-endian encoded, hence reversing the order of bytes
+// bytes4 constant SGX_TEE = 0x00000000;
+bytes4 constant TDX_TEE = 0x81000000;
+// bytes16 constant VALID_QE_VENDOR_ID = 0x939a7233f79c4ca9940a0db3957f0607;
+// uint16 constant ENCLAVE_REPORT_LENGTH = 384;
+// uint16 constant TD_REPORT10_LENGTH = 584;
+
+// Header (48 bytes) + Body (minimum 384 bytes) + AuthDataSize (4 bytes) + AuthData:
+// ECDSA_SIGNATURE (64 bytes) + ECDSA_KEY (64 bytes) + QE_REPORT_BYTES (384 bytes)
+// + QE_REPORT_SIGNATURE (64 bytes) + QE_AUTH_DATA_SIZE (2 bytes) + QE_CERT_DATA_TYPE (2 bytes)
+// + QE_CERT_DATA_SIZE (4 bytes)
+uint16 constant MINIMUM_QUOTE_LENGTH = 1020;
+
+// // timestamp + tcb_info_hash + identity_hash + root_ca_hash + tcb_signing_hash + root_crl_hash + pck_crl_hash
+// // 8 + 6 * 32 = 200
+// uint16 constant VERIFIED_OUTPUT_COLLATERAL_HASHES_LENGTH = 200;