From d6e0776c3a83d208dcec7d9e9b15d2f77b31463a Mon Sep 17 00:00:00 2001
From: Peter Nose <peter.nose@gmail.com>
Date: Tue, 20 Dec 2022 09:36:34 +0100
Subject: [PATCH] go/common/sgx/pcs: Add support for PCS v4 and TCB info v3

---
 .changelog/5108.feature.md                    |   1 +
 go/common/sgx/common.go                       |   2 +-
 go/common/sgx/pcs/http.go                     |  10 +-
 go/common/sgx/pcs/quote.go                    |  19 +++
 go/common/sgx/pcs/quote_test.go               |  62 +++++----
 go/common/sgx/pcs/tcb.go                      |  67 +++++-----
 .../sgx/pcs/testdata/qe_identity_v2.json      |   2 +-
 .../quote_v3_ecdsa_p256_pck_chain.bin         | Bin 4734 -> 4730 bytes
 .../tcb_info_v2_fmspc_00606A000000.json       |   1 -
 .../tcb_info_v3_fmspc_00606A000000.json       |   1 +
 ... tcb_info_v3_fmspc_00606A000000_certs.pem} |   0
 ..._info_v3_fmspc_00606A000000_certs_bad.pem} |   0
 runtime/src/common/sgx/pcs.rs                 | 125 +++++++++---------
 runtime/testdata/pcs_quote_bundle.cbor        | Bin 9536 -> 10952 bytes
 runtime/testdata/qe_identity_v2.json          |   2 +-
 .../quote_v3_ecdsa_p256_pck_chain.bin         | Bin 4734 -> 4730 bytes
 .../tcb_info_v2_fmspc_00606A000000.json       |   1 -
 .../tcb_info_v3_fmspc_00606A000000.json       |   1 +
 ... tcb_info_v3_fmspc_00606A000000_certs.pem} |   0
 ..._info_v3_fmspc_00606A000000_certs_bad.pem} |   0
 20 files changed, 154 insertions(+), 140 deletions(-)
 create mode 100644 .changelog/5108.feature.md
 delete mode 100644 go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000.json
 create mode 100644 go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000.json
 rename go/common/sgx/pcs/testdata/{tcb_info_v2_fmspc_00606A000000_certs.pem => tcb_info_v3_fmspc_00606A000000_certs.pem} (100%)
 rename go/common/sgx/pcs/testdata/{tcb_info_v2_fmspc_00606A000000_certs_bad.pem => tcb_info_v3_fmspc_00606A000000_certs_bad.pem} (100%)
 delete mode 100644 runtime/testdata/tcb_info_v2_fmspc_00606A000000.json
 create mode 100644 runtime/testdata/tcb_info_v3_fmspc_00606A000000.json
 rename runtime/testdata/{tcb_info_v2_fmspc_00606A000000_certs.pem => tcb_info_v3_fmspc_00606A000000_certs.pem} (100%)
 rename runtime/testdata/{tcb_info_v2_fmspc_00606A000000_certs_bad.pem => tcb_info_v3_fmspc_00606A000000_certs_bad.pem} (100%)

diff --git a/.changelog/5108.feature.md b/.changelog/5108.feature.md
new file mode 100644
index 00000000000..0b9af5539e4
--- /dev/null
+++ b/.changelog/5108.feature.md
@@ -0,0 +1 @@
+go/common/sgx/pcs: Add support for PCS v4 and TCB info v3
diff --git a/go/common/sgx/common.go b/go/common/sgx/common.go
index a36935b1044..bbf336e9dd1 100644
--- a/go/common/sgx/common.go
+++ b/go/common/sgx/common.go
@@ -106,7 +106,7 @@ readLoop:
 	return m.UnmarshalBinary(sum)
 }
 
-// FromSgxsBytes dervies a MrEnclave from a byte slice containing a `.sgxs`
+// FromSgxsBytes derives a MrEnclave from a byte slice containing a `.sgxs`
 // file.
 func (m *MrEnclave) FromSgxsBytes(data []byte) error {
 	sum := sha256.Sum256(data)
diff --git a/go/common/sgx/pcs/http.go b/go/common/sgx/pcs/http.go
index ed86378c835..7e2cecf2d1e 100644
--- a/go/common/sgx/pcs/http.go
+++ b/go/common/sgx/pcs/http.go
@@ -22,11 +22,11 @@ const (
 	pcsAPISubscriptionKeyHeader = "Ocp-Apim-Subscription-Key"
 	pcsAPITimeout               = 10 * time.Second
 	pcsAPIBaseURL               = "https://api.trustedservices.intel.com/sgx"
-	pcsAPIGetPCKCertificatePath = "/certification/v3/pckcert"
-	pcsAPIGetRevocationListPath = "/certification/v3/pckcrl"
-	pcsAPIGetTCBInfoPath        = "/certification/v3/tcb"
-	pcsAPIGetQEIdentityPath     = "/certification/v3/qe/identity"
-	pcsAPICertChainHeader       = "SGX-TCB-Info-Issuer-Chain"
+	pcsAPIGetPCKCertificatePath = "/certification/v4/pckcert"
+	pcsAPIGetRevocationListPath = "/certification/v4/pckcrl"
+	pcsAPIGetTCBInfoPath        = "/certification/v4/tcb"
+	pcsAPIGetQEIdentityPath     = "/certification/v4/qe/identity"
+	pcsAPICertChainHeader       = "TCB-Info-Issuer-Chain"
 )
 
 // HTTPClientConfig is the Intel SGX PCS client configuration.
diff --git a/go/common/sgx/pcs/quote.go b/go/common/sgx/pcs/quote.go
index 038a7f41c5b..e69091271b2 100644
--- a/go/common/sgx/pcs/quote.go
+++ b/go/common/sgx/pcs/quote.go
@@ -73,6 +73,11 @@ func (q *Quote) UnmarshalBinary(data []byte) error {
 	}
 	offset += quoteHeaderLen
 
+	// Support only SGX, as TDX is not needed.
+	if q.Header.TEEType != teeTypeSGX {
+		return fmt.Errorf("pcs/quote: unsupported TEE type: %X", q.Header.TEEType)
+	}
+
 	// ISV Report.
 	if err := q.ISVReport.UnmarshalBinary(data[offset : offset+reportBodyLen]); err != nil {
 		return err
@@ -105,6 +110,10 @@ func (q *Quote) UnmarshalBinary(data []byte) error {
 //
 // In case of successful verification it returns the TCB level.
 func (q *Quote) Verify(policy *QuotePolicy, ts time.Time, tcb *TCBBundle) (*sgx.VerifiedQuote, error) {
+	if q.Header.TEEType != teeTypeSGX {
+		return nil, fmt.Errorf("pcs/quote: unsupported TEE type: %X", q.Header.TEEType)
+	}
+
 	if !bytes.Equal(q.Header.QEVendorID[:], QEVendorID_Intel) {
 		return nil, fmt.Errorf("pcs/quote: unsupported QE vendor: %X", q.Header.QEVendorID)
 	}
@@ -149,6 +158,7 @@ func (q *Quote) Verify(policy *QuotePolicy, ts time.Time, tcb *TCBBundle) (*sgx.
 // QuoteHeader is a quote header.
 type QuoteHeader struct {
 	Version    uint16
+	TEEType    uint32
 	QESVN      uint16
 	PCESVN     uint16
 	QEVendorID [16]byte
@@ -170,6 +180,12 @@ func (qh *QuoteHeader) UnmarshalBinary(data []byte) error {
 	}
 
 	qh.attestationKeyType = AttestationKeyType(binary.LittleEndian.Uint16(data[2:]))
+
+	qh.TEEType = binary.LittleEndian.Uint32(data[4:])
+	if qh.TEEType != teeTypeSGX {
+		return fmt.Errorf("pcs/quote: unsupported TEE type: %X", qh.TEEType)
+	}
+
 	qh.QESVN = binary.LittleEndian.Uint16(data[8:])
 	qh.PCESVN = binary.LittleEndian.Uint16(data[10:])
 	copy(qh.QEVendorID[:], data[12:])
@@ -180,6 +196,9 @@ func (qh *QuoteHeader) UnmarshalBinary(data []byte) error {
 	return nil
 }
 
+// teeTypeSGX is the SGX TEE type.
+const teeTypeSGX uint32 = 0
+
 // QEVendorID_Intel is the Quoting Enclave vendor ID for Intel (939A7233F79C4CA9940A0DB3957F0607).
 var QEVendorID_Intel = []byte{0x93, 0x9a, 0x72, 0x33, 0xf7, 0x9c, 0x4c, 0xa9, 0x94, 0x0a, 0x0d, 0xb3, 0x95, 0x7f, 0x06, 0x07} // nolint: revive
 
diff --git a/go/common/sgx/pcs/quote_test.go b/go/common/sgx/pcs/quote_test.go
index 54f347579ab..4d04b49914a 100644
--- a/go/common/sgx/pcs/quote_test.go
+++ b/go/common/sgx/pcs/quote_test.go
@@ -24,25 +24,25 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 
 	// Validate quote header.
 	require.EqualValues(3, quote.Header.Version)
-	require.EqualValues(7, quote.Header.QESVN)
-	require.EqualValues(12, quote.Header.PCESVN)
+	require.EqualValues(9, quote.Header.QESVN)
+	require.EqualValues(13, quote.Header.PCESVN)
 	require.EqualValues(QEVendorID_Intel, quote.Header.QEVendorID[:])
 
 	// Validate ISV report.
-	require.EqualValues([]byte{5, 5, 12, 12, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, quote.ISVReport.CPUSVN[:])
+	require.EqualValues([]byte{8, 9, 14, 13, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, quote.ISVReport.CPUSVN[:])
 	require.EqualValues(0, quote.ISVReport.MiscSelect)
 	require.EqualValues(sgx.AttributeInit|sgx.AttributeMode64Bit, quote.ISVReport.Attributes.Flags)
 	require.EqualValues(3, quote.ISVReport.Attributes.Xfrm)
-	require.EqualValues("9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e", quote.ISVReport.MRENCLAVE.String())
-	require.EqualValues("4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459", quote.ISVReport.MRSIGNER.String())
+	require.EqualValues("68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f", quote.ISVReport.MRENCLAVE.String())
+	require.EqualValues("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a", quote.ISVReport.MRSIGNER.String())
 	require.EqualValues(0, quote.ISVReport.ISVProdID)
 	require.EqualValues(0, quote.ISVReport.ISVSVN)
-	require.EqualValues([]byte{40, 70, 22, 193, 254, 244, 193, 12, 227, 221, 176, 206, 20, 9, 124, 124, 204, 247, 205, 137, 173, 0, 101, 51, 97, 62, 66, 75, 27, 209, 53, 129, 110, 106, 90, 82, 54, 76, 68, 47, 98, 51, 80, 100, 74, 118, 49, 84, 73, 90, 65, 53, 114, 117, 53, 65, 109, 52, 56, 80, 69, 80, 88, 111}, quote.ISVReport.ReportData[:])
+	require.EqualValues([]byte{2, 106, 105, 206, 217, 108, 62, 2, 149, 209, 109, 107, 56, 142, 5, 122, 19, 122, 20, 49, 150, 113, 102, 42, 88, 68, 199, 71, 47, 60, 98, 174, 14, 61, 63, 153, 183, 125, 216, 155, 15, 193, 67, 108, 79, 233, 104, 40, 57, 26, 82, 88, 138, 15, 136, 52, 85, 161, 139, 143, 88, 114, 227, 240}, quote.ISVReport.ReportData[:])
 
 	// Validate quote signature.
 	require.EqualValues(AttestationKeyECDSA_P256, quote.Signature.AttestationKeyType())
 	qs := quote.Signature.(*QuoteSignatureECDSA_P256)
-	require.EqualValues([]byte{5, 5, 12, 12, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, qs.QEReport.CPUSVN[:])
+	require.EqualValues([]byte{8, 9, 14, 13, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0}, qs.QEReport.CPUSVN[:])
 	require.EqualValues(0, qs.QEReport.MiscSelect)
 	require.EqualValues(sgx.AttributeInit|sgx.AttributeMode64Bit|sgx.AttributeProvisionKey, qs.QEReport.Attributes.Flags)
 	require.EqualValues(231, qs.QEReport.Attributes.Xfrm)
@@ -51,11 +51,11 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 	require.Len(cd.CertificateChain, 3)
 
 	// Prepare TCB bundle needed for verification.
-	rawTCBInfo, err := os.ReadFile("testdata/tcb_info_v2_fmspc_00606A000000.json") // From PCS V3 response.
+	rawTCBInfo, err := os.ReadFile("testdata/tcb_info_v3_fmspc_00606A000000.json") // From PCS V4 response.
 	require.NoError(err, "Read test vector")
-	rawCerts, err := os.ReadFile("testdata/tcb_info_v2_fmspc_00606A000000_certs.pem") // From PCS V3 response (SGX-TCB-Info-Issuer-Chain header).
+	rawCerts, err := os.ReadFile("testdata/tcb_info_v3_fmspc_00606A000000_certs.pem") // From PCS V4 response (TCB-Info-Issuer-Chain header).
 	require.NoError(err, "Read test vector")
-	rawQEIdentity, err := os.ReadFile("testdata/qe_identity_v2.json") // From PCS V3 response.
+	rawQEIdentity, err := os.ReadFile("testdata/qe_identity_v2.json") // From PCS V4 response.
 	require.NoError(err, "Read test vector")
 
 	var tcbInfo SignedTCBInfo
@@ -72,32 +72,38 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 		Certificates: rawCerts,
 	}
 
-	now := time.Unix(1652701082, 0)
+	now := time.Unix(1671497404, 0)
 	verifiedQuote, err := quote.Verify(nil, now, &tcbBundle)
 	require.NoError(err, "Verify quote signature")
-	require.EqualValues("9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e", verifiedQuote.Identity.MrEnclave.String())
-	require.EqualValues("4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459", verifiedQuote.Identity.MrSigner.String())
+	require.EqualValues("68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f", verifiedQuote.Identity.MrEnclave.String())
+	require.EqualValues("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a", verifiedQuote.Identity.MrSigner.String())
+
+	// Test X509 certificate has expired (not after 1891163521).
+	now2a := time.Unix(1891163522, 0)
+	_, err = quote.Verify(nil, now2a, &tcbBundle)
+	require.Error(err, "Quote verification should fail for expired PCK certificates")
+	require.ErrorContains(err, "pcs/quote: failed to verify PCK certificate chain: x509: certificate has expired or is not yet valid")
 
-	// Test X509 certificate not yet valid.
-	now2 := time.Unix(1052695757, 0)
-	_, err = quote.Verify(nil, now2, &tcbBundle)
+	// Test X509 certificate not yet valid (not before 1670238721).
+	now2b := time.Unix(1670238720, 0)
+	_, err = quote.Verify(nil, now2b, &tcbBundle)
 	require.Error(err, "Quote verification should fail for PCK certificates not yet valid")
 	require.ErrorContains(err, "pcs/quote: failed to verify PCK certificate chain: x509: certificate has expired or is not yet valid")
 
-	// Test TCB info not yet valid.
-	now3 := time.Unix(1652609357, 0)
+	// Test TCB info not yet valid (qe identity issue date 1671194736).
+	now3 := time.Unix(1671194735, 0)
 	_, err = quote.Verify(nil, now3, &tcbBundle)
 	require.Error(err, "Quote verification should fail for TCB info not yet valid")
 	require.ErrorContains(err, "pcs/quote: failed to verify TCB bundle: pcs/tcb: failed to verify QE identity: pcs/tcb: invalid QE identity: pcs/tcb: QE identity issue date in the future")
 
-	// Test TCB info expired.
-	now4 := time.Unix(1657879757, 0)
+	// Test TCB info expired (qe identity issue date 1671194736 + validity period 30 * 24 * 60 * 60 = 1673786736).
+	now4 := time.Unix(1673786737, 0)
 	_, err = quote.Verify(nil, now4, &tcbBundle)
 	require.Error(err, "Quote verification should fail for TCB info expired")
 	require.ErrorContains(err, "pcs/quote: failed to verify TCB bundle: pcs/tcb: failed to verify QE identity: pcs/tcb: invalid QE identity: pcs/tcb: QE identity expired")
 
 	// Test alternate validity from quote policy.
-	now5 := time.Unix(1657879757, 0)
+	now5 := time.Unix(1673786737, 0)
 	quotePolicy := &QuotePolicy{
 		TCBValidityPeriod: 90,
 	}
@@ -133,7 +139,7 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 	require.ErrorContains(err, "pcs/quote: failed to verify TCB bundle: pcs/tcb: unexpected certificate chain length: 0")
 
 	// Test TCB info certificates bad.
-	rawCertsBad, err := os.ReadFile("testdata/tcb_info_v2_fmspc_00606A000000_certs_bad.pem")
+	rawCertsBad, err := os.ReadFile("testdata/tcb_info_v3_fmspc_00606A000000_certs_bad.pem")
 	require.NoError(err, "Read test vector")
 
 	tcbBundle3 := TCBBundle{
@@ -177,8 +183,8 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 
 	verifiedQuote, err = quoteBundle.Verify(nil, now)
 	require.NoError(err, "Verify quote bundle")
-	require.EqualValues("9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e", verifiedQuote.Identity.MrEnclave.String())
-	require.EqualValues("4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459", verifiedQuote.Identity.MrSigner.String())
+	require.EqualValues("68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f", verifiedQuote.Identity.MrEnclave.String())
+	require.EqualValues("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a", verifiedQuote.Identity.MrSigner.String())
 
 	// Test quote bundle serialization round-trip.
 	rawQB := cbor.Marshal(quoteBundle)
@@ -187,8 +193,8 @@ func TestQuoteECDSA_P256_PCK_CertificateChain(t *testing.T) {
 	require.NoError(err, "QuoteBundle serialization should round-trip")
 	verifiedQuote, err = quoteBundle2.Verify(nil, now)
 	require.NoError(err, "Verify deserialized quote bundle")
-	require.EqualValues("9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e", verifiedQuote.Identity.MrEnclave.String())
-	require.EqualValues("4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459", verifiedQuote.Identity.MrSigner.String())
+	require.EqualValues("68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f", verifiedQuote.Identity.MrEnclave.String())
+	require.EqualValues("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a", verifiedQuote.Identity.MrSigner.String())
 }
 
 func TestQuoteECDSA_P256_EPPID(t *testing.T) {
@@ -212,8 +218,8 @@ func TestQuoteECDSA_P256_EPPID(t *testing.T) {
 	require.EqualValues(0, quote.ISVReport.MiscSelect)
 	require.EqualValues(sgx.AttributeInit|sgx.AttributeMode64Bit, quote.ISVReport.Attributes.Flags)
 	require.EqualValues(3, quote.ISVReport.Attributes.Xfrm)
-	require.EqualValues("9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e", quote.ISVReport.MRENCLAVE.String())
-	require.EqualValues("4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459", quote.ISVReport.MRSIGNER.String())
+	require.EqualValues("68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f", quote.ISVReport.MRENCLAVE.String())
+	require.EqualValues("9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a", quote.ISVReport.MRSIGNER.String())
 	require.EqualValues(0, quote.ISVReport.ISVProdID)
 	require.EqualValues(0, quote.ISVReport.ISVSVN)
 	require.EqualValues([]byte{88, 71, 160, 127, 98, 203, 186, 123, 157, 240, 227, 172, 25, 83, 16, 250, 226, 19, 77, 70, 182, 58, 130, 156, 76, 232, 128, 32, 45, 239, 29, 161, 119, 73, 117, 86, 119, 84, 116, 67, 70, 80, 103, 51, 101, 54, 75, 57, 74, 78, 66, 101, 57, 99, 73, 110, 103, 90, 53, 104, 115, 84, 100, 112}, quote.ISVReport.ReportData[:])
diff --git a/go/common/sgx/pcs/tcb.go b/go/common/sgx/pcs/tcb.go
index 59cd90b69c4..449968ff690 100644
--- a/go/common/sgx/pcs/tcb.go
+++ b/go/common/sgx/pcs/tcb.go
@@ -15,8 +15,11 @@ import (
 )
 
 const (
+	// requiredTCBInfoID is the required TCB info identifier.
+	requiredTCBInfoID = "SGX"
+
 	// requiredTCBInfoVersion is the required TCB info version.
-	requiredTCBInfoVersion = 2
+	requiredTCBInfoVersion = 3
 
 	// requiredQEID is the required QE identity enclave ID.
 	requiredQEID = "QE"
@@ -184,8 +187,16 @@ func (st *SignedTCBInfo) open(ts time.Time, policy *QuotePolicy, pk *ecdsa.Publi
 	return &tcbInfo, nil
 }
 
+// TDXModule is a representation of the properties of Intel’s TDX SEAM module.
+type TDXModule struct {
+	MRSIGNER       string  `json:"mrsigner"`
+	Attributes     [8]byte `json:"attributes"`
+	AttributesMask [8]byte `json:"attributesMask"`
+}
+
 // TCBInfo is the TCB info body.
 type TCBInfo struct {
+	ID                      string     `json:"id"`
 	Version                 int        `json:"version"`
 	IssueDate               string     `json:"issueDate"`
 	NextUpdate              string     `json:"nextUpdate"`
@@ -193,10 +204,15 @@ type TCBInfo struct {
 	PCEID                   string     `json:"pceId"`
 	TCBType                 int        `json:"tcbType"`
 	TCBEvaluationDataNumber uint32     `json:"tcbEvaluationDataNumber"`
+	TDXModule               TDXModule  `json:"tdxModule,omitempty"`
 	TCBLevels               []TCBLevel `json:"tcbLevels"`
 }
 
 func (ti *TCBInfo) validate(ts time.Time, policy *QuotePolicy) error {
+	if ti.ID != requiredTCBInfoID {
+		return fmt.Errorf("pcs/tcb: unexpected TCB info identifier: %s", ti.ID)
+	}
+
 	if ti.Version != requiredTCBInfoVersion {
 		return fmt.Errorf("pcs/tcb: unexpected TCB info version: %d", ti.Version)
 	}
@@ -328,26 +344,19 @@ func (tle *TCBOutOfDateError) Error() string {
 	return fmt.Sprintf("%s TCB is not up to date (likely needs upgrade): %s", tle.Kind, tle.Status)
 }
 
+// TCBComponent is a TCB component.
+type TCBComponent struct {
+	SVN      int32  `json:"svn"`
+	Category string `json:"category,omitempty"`
+	Type     string `json:"type,omitempty"`
+}
+
 // TCBLevel is a platform TCB level.
 type TCBLevel struct {
 	TCB struct {
-		PCESVN    int32 `json:"pcesvn"`
-		Comp01SVN int32 `json:"sgxtcbcomp01svn"`
-		Comp02SVN int32 `json:"sgxtcbcomp02svn"`
-		Comp03SVN int32 `json:"sgxtcbcomp03svn"`
-		Comp04SVN int32 `json:"sgxtcbcomp04svn"`
-		Comp05SVN int32 `json:"sgxtcbcomp05svn"`
-		Comp06SVN int32 `json:"sgxtcbcomp06svn"`
-		Comp07SVN int32 `json:"sgxtcbcomp07svn"`
-		Comp08SVN int32 `json:"sgxtcbcomp08svn"`
-		Comp09SVN int32 `json:"sgxtcbcomp09svn"`
-		Comp10SVN int32 `json:"sgxtcbcomp10svn"`
-		Comp11SVN int32 `json:"sgxtcbcomp11svn"`
-		Comp12SVN int32 `json:"sgxtcbcomp12svn"`
-		Comp13SVN int32 `json:"sgxtcbcomp13svn"`
-		Comp14SVN int32 `json:"sgxtcbcomp14svn"`
-		Comp15SVN int32 `json:"sgxtcbcomp15svn"`
-		Comp16SVN int32 `json:"sgxtcbcomp16svn"`
+		PCESVN        int32            `json:"pcesvn"`
+		SGXComponents [16]TCBComponent `json:"sgxtcbcomponents"`
+		TDXComponents [16]TCBComponent `json:"tdxtcbcomponents,omitempty"`
 	} `json:"tcb"`
 	Date        string    `json:"tcbDate"`
 	Status      TCBStatus `json:"tcbStatus"`
@@ -360,26 +369,9 @@ func (tl *TCBLevel) matches(tcbCompSvn [16]int32, pcesvn int32) bool {
 	//    16) with the corresponding values in the TCB Level. If all SGX TCB Comp SVNs in the
 	//    certificate are greater or equal to the corresponding values in TCB Level, go to b,
 	//    otherwise move to the next item on TCB Levels list.
-	for i, svn := range []int32{
-		tl.TCB.Comp01SVN,
-		tl.TCB.Comp02SVN,
-		tl.TCB.Comp03SVN,
-		tl.TCB.Comp04SVN,
-		tl.TCB.Comp05SVN,
-		tl.TCB.Comp06SVN,
-		tl.TCB.Comp07SVN,
-		tl.TCB.Comp08SVN,
-		tl.TCB.Comp09SVN,
-		tl.TCB.Comp10SVN,
-		tl.TCB.Comp11SVN,
-		tl.TCB.Comp12SVN,
-		tl.TCB.Comp13SVN,
-		tl.TCB.Comp14SVN,
-		tl.TCB.Comp15SVN,
-		tl.TCB.Comp16SVN,
-	} {
+	for i, comp := range tl.TCB.SGXComponents {
 		// At least one SVN is lower, no match.
-		if tcbCompSvn[i] < svn {
+		if tcbCompSvn[i] < comp.SVN {
 			return false
 		}
 	}
@@ -490,6 +482,7 @@ type QEIdentity struct {
 	MRSIGNER                string            `json:"mrsigner"`
 	ISVProdID               uint16            `json:"isvprodid"`
 	TCBLevels               []EnclaveTCBLevel `json:"tcbLevels"`
+	AdvisoryIDs             []int             `json:"advisoryIDs,omitempty"`
 }
 
 func (qe *QEIdentity) validate(ts time.Time, policy *QuotePolicy) error {
diff --git a/go/common/sgx/pcs/testdata/qe_identity_v2.json b/go/common/sgx/pcs/testdata/qe_identity_v2.json
index cf3c32bf88f..8a10ab7bfd1 100644
--- a/go/common/sgx/pcs/testdata/qe_identity_v2.json
+++ b/go/common/sgx/pcs/testdata/qe_identity_v2.json
@@ -1 +1 @@
-{"enclaveIdentity":{"id":"QE","version":2,"issueDate":"2022-05-16T10:34:11Z","nextUpdate":"2022-06-15T10:34:11Z","tcbEvaluationDataNumber":12,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF","isvprodid":1,"tcbLevels":[{"tcb":{"isvsvn":6},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":5},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":4},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":2},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":1},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate"}]},"signature":"68251f6b5229f1d8232f8db2cef3e7d7e687a118b26d58f45fbf64c7cf9f83b50909d725a9dd03d8fe49742c12188b6e03b5321c58fd14e0e6b0d644de74d277"}
\ No newline at end of file
+{"enclaveIdentity":{"id":"QE","version":2,"issueDate":"2022-12-16T12:45:36Z","nextUpdate":"2023-01-15T12:45:36Z","tcbEvaluationDataNumber":13,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF","isvprodid":1,"tcbLevels":[{"tcb":{"isvsvn":6},"tcbDate":"2022-11-09T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":5},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477"]},{"tcb":{"isvsvn":4},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00334","INTEL-SA-00477"]},{"tcb":{"isvsvn":2},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477"]},{"tcb":{"isvsvn":1},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00202","INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477"]}]},"signature":"6be6247f58edcb10b53368b566d3e34c8ae33d1f33eebf93de707113e05bf9646e62c89035a3d572de25bd8eacbb435616966bf4ad12e40efd837113439ed7a8"}
\ No newline at end of file
diff --git a/go/common/sgx/pcs/testdata/quote_v3_ecdsa_p256_pck_chain.bin b/go/common/sgx/pcs/testdata/quote_v3_ecdsa_p256_pck_chain.bin
index 075eee9f9e722d0404ea2306a1af38caef781621..bc241e0746a2dfb3d4382bf589f4d2c125f98cf7 100644
GIT binary patch
delta 884
zcmeyT@=JxAnSqG`1UMOZCvvN@b8zzU{{PQ7@uKF$1ObJNChKGR4)Y#c8NE{H`R96N
z<E;G6C&GEF54N3tkYw4{Kk=f1!mR)2*SYWTc%!pk#&gT2=3qIQBdR}5n>J^#J=Jo)
z-YYfn;{19BrmW0!H*@Tmre4g=w&-K660Q<4oK~2o72$H+UEd~Y9iOfJ%<Z)|X7e9(
z&hdYlp<yW%6w$@sVG_EqyFa4n@rPpq3=B&4elISa<P+2R{Cd0NyYBzu^$Lzk+Z9Bt
zuN!baJYpc`DZ-!er<Z5`bJfKs4*an{F1@yl;c;Wdt$H(G|9^c`-+h(JENM!7QP(|d
z$~wLmwv*-WX&dZ}6ODVAtr`~Cbz(xdEDL+wFUw<wn||u7Kh4G`)g&Cg?sNcWveRa(
z#QA?7@FBuxatf1x!a3O$vkrdsYA6an^0cNxglA7$(3Pw0*Z5hRg`(6a?JEEV&g3mj
zO^loqFWM>;NfxJ?U)QLYo?m8Rx5{W~vAXo(ik&|<9oBn#t#bEFS)gKv+`52cw!xx1
zv?ppBzF{}yFENolQNA@w`~LBE6L*a>s*%N0lvW+t@=NY%htuT3gpX`>y~US1=REmw
zNOem`&Cef`zc8z?#PKmOOy=d5*KxH7advj{%1n1G_jGbh_Y8F|uS&CsG%`0&*AI6p
zj`S-w%Js_CHgz<xNS>U|vRSdhH_Oq`H^dc0SA=II`}t;NqlitmW<3z$Usl0oWEPx~
zYG@qf<699}=~HQvWe{Qz>g1E@nBrd<l@k`~S!9u0Ug?qM<78IkVd-8{QsJKK7Oq{M
z9GICARAJ!Dl@^rf5}6lakeBM0SLo^OY*djrIhgIHj8kfmiCK|Xd4;ieNTt4oVWfqb
zM}da{SEylV$Yc-prHmev-?57`dQE2Is9|)S+|2P=$)Mb$JkrNIKgu(sEW^(+(7?$t
z!_$?^)iK%2u{=Ouzua~549<u3fsW<Q>5-lwbyZmguD~#H2`YCi=L&N4Ob-e6GY>1b
z$jFEasR{~l^~nh-%goe|$_)z7aw&C=%FRoQO0ozpuc!zrcJ_2GkEl#a@ky+3Gj{R_
z&f)To@+|iWadyuy&GYk!aLEq#N~`eI&+*PH&Wq&I1p!w-7lp|?_zXAeatE>l020Af
ADgXcg

delta 875
zcmeyR@=t}EnSqG`1lSpPCUUE?v$FE={Qu85@uKF$1ObI9l{enrzrJxhgW(j(P}#!{
z-#QMx51bVzky>}&Xol?Gc@r-xC^)Fz+Wz{M{Jt}OX66ZbOhO_TzR2XVDE&3>*6QwP
zY>AwBaeh66hMU;Ie_syrJifc(oCs%4&6)3KJJ&L#8YkL0c}rh3ZOqGx3NrI?(N8iC
zNbxE&4DpO|G%YGMb<8!f2yhLE$Uh~(z_4+Ki-N1f^%+N`oX^i<7ZEkvn#1Gdpm*_5
zvrYKp6VG?tl3>q`vFZwQ;uBD;U1FcNO8?L%;SFb49@_eTZ#nyIr|*=73y!w&rmfiA
zAGx~H+FEYw-C6cJSElTFT3w_*D}?j8i$K*@o3trwb7fN8vg59}{1tI#^IzYz`Z|}a
z=ojT#?-5}$IfY3;VV#i8{*^gutqJ$9-v8$ja?Zu}$%9{kml`E}rf6JW?C={HIFq+9
zH8HYJylAT+v4kg6<LlE^onbocwQD?YZ)$XJWmtWMo25NzpNdD!J)mL-jnJBtD;g)x
z$v>Hzb6vOpN%Oimk?dN|Q`G`2doni84f<SpoMEwbVQJ!aMWZ`AdVeabGpcUqG<ljV
z^T4EL^2(=^zc8yXCQX)PQPHY$c6Rd0Om{5zbaG7h40R4S&2!00_jk<?uS)Us$n-Pt
zaI^3!aq+6io}A9IS+U&D#nZ?)#JAEnE3h&=BiYY4D;q^@vNh|02p2y`E{{~>LZ1v%
zS0|5h3&&z}?<}7nSCcSTGvj~~3#W+ukaUm0T*nGmuVPp2;0jlxDyN`w<CGv*mu&Y;
z{XoY6W3H^^07p;f<N|L4^Rl#3uRLSN;K{*kH)Y%n$}_Tkiv3LdvK-yBT*?gHv@;DY
zs<=G0J;Ek?urFnFo&1hn97wWp)G#_uZsz!`R9x;+9_izqALW@*mf`0ZXyD|S;pxid
z>KN$iSRSCSU+y@02Is^2G>dZQ^hi&Tx~eP#pp>UeaG+y3S5UfVhNEAEadLWoK~|!3
zxpTgWQI1QXp|`KEVNO=IbC_v(aD-D%nSYW?c2#zoi({s%qk)N&88B4c3XB4Zxl96`
qs$2|>%CkMZO_IwhBg>2OlRTZH@*G2*-AyvfZMk$oVDlHQHg*6@^iEv>

diff --git a/go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000.json b/go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000.json
deleted file mode 100644
index 0a463197f42..00000000000
--- a/go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000.json
+++ /dev/null
@@ -1 +0,0 @@
-{"tcbInfo":{"version":2,"issueDate":"2022-05-16T07:22:26Z","nextUpdate":"2022-06-15T07:22:26Z","fmspc":"00606A000000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":12,"tcbLevels":[{"tcb":{"sgxtcbcomp01svn":4,"sgxtcbcomp02svn":4,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"sgxtcbcomp01svn":4,"sgxtcbcomp02svn":4,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"sgxtcbcomp01svn":3,"sgxtcbcomp02svn":3,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":10},"tcbDate":"2020-06-10T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"sgxtcbcomp01svn":3,"sgxtcbcomp02svn":3,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":5},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate"}]},"signature":"68a39fa09446abdd13d9294cadc5710a87f6c7083b207d3aba6c5217af7c979b5e70fcedb4d8427682c8cefddd9163527cb792a4d1f25ada533ec355e44679ad"}
diff --git a/go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000.json b/go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000.json
new file mode 100644
index 00000000000..fc35f8f11eb
--- /dev/null
+++ b/go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000.json
@@ -0,0 +1 @@
+{"tcbInfo":{"id":"SGX","version":3,"issueDate":"2022-12-19T09:40:10Z","nextUpdate":"2023-01-18T09:40:10Z","fmspc":"00606A000000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":13,"tcbLevels":[{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":1},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"SWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"ConfigurationAndSWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":5},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00106","INTEL-SA-00115","INTEL-SA-00135","INTEL-SA-00203","INTEL-SA-00220","INTEL-SA-00233","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]}]},"signature":"00ebb478cec3792ed87afa4cab0bd0d38388f5b9e684e487d08aaab0665f4207d72d061f676f1739e4a2a0172928620311e6efdf9d3d0e8dacd61a4e77966a42"}
\ No newline at end of file
diff --git a/go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000_certs.pem b/go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000_certs.pem
similarity index 100%
rename from go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000_certs.pem
rename to go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000_certs.pem
diff --git a/go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000_certs_bad.pem b/go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000_certs_bad.pem
similarity index 100%
rename from go/common/sgx/pcs/testdata/tcb_info_v2_fmspc_00606A000000_certs_bad.pem
rename to go/common/sgx/pcs/testdata/tcb_info_v3_fmspc_00606A000000_certs_bad.pem
diff --git a/runtime/src/common/sgx/pcs.rs b/runtime/src/common/sgx/pcs.rs
index f2953c9b980..e3dee86d2c6 100644
--- a/runtime/src/common/sgx/pcs.rs
+++ b/runtime/src/common/sgx/pcs.rs
@@ -15,7 +15,8 @@ use sgx_isa::{AttributesFlags, Report};
 use super::{EnclaveIdentity, MrEnclave, MrSigner, VerifiedQuote};
 
 // Required values of various TCB fields.
-const REQUIRED_TCB_INFO_VERSION: u32 = 2;
+const REQUIRED_TCB_INFO_ID: &str = "SGX";
+const REQUIRED_TCB_INFO_VERSION: u32 = 3;
 const REQUIRED_QE_ID: &str = "QE";
 const REQUIRED_QE_IDENTITY_VERSION: u32 = 2;
 const DEFAULT_MIN_TCB_EVALUATION_DATA_NUMBER: u32 = 12; // As of 2022-08-01.
@@ -468,9 +469,25 @@ impl SignedTCBInfo {
     }
 }
 
+/// TDX module is a representation of the properties of Intel’s TDX SEAM module.
+#[derive(Clone, Debug, Default, serde::Deserialize)]
+pub struct TDXModule {
+    #[serde(rename = "mrsigner")]
+    pub mr_signer: String,
+
+    #[serde(rename = "attributes")]
+    pub attributes: [u8; 8],
+
+    #[serde(rename = "attributesMask")]
+    pub attributes_mask: [u8; 8],
+}
+
 /// TCB info body.
 #[derive(Clone, Debug, Default, serde::Deserialize)]
 pub struct TCBInfo {
+    #[serde(rename = "id")]
+    pub id: String,
+
     #[serde(rename = "version")]
     pub version: u32,
 
@@ -492,12 +509,21 @@ pub struct TCBInfo {
     #[serde(rename = "tcbEvaluationDataNumber")]
     pub tcb_evaluation_data_number: u32,
 
+    #[serde(default, rename = "tdxModule")]
+    pub tdx_module: TDXModule,
+
     #[serde(rename = "tcbLevels")]
     pub tcb_levels: Vec<TCBLevel>,
 }
 
 impl TCBInfo {
     fn validate(&self, ts: DateTime<Utc>, policy: &QuotePolicy) -> Result<(), Error> {
+        if self.id != REQUIRED_TCB_INFO_ID {
+            return Err(Error::TCBParseError(anyhow::anyhow!(
+                "unexpected TCB info identifier"
+            )));
+        }
+
         if self.version != REQUIRED_TCB_INFO_VERSION {
             return Err(Error::TCBParseError(anyhow::anyhow!(
                 "unexpected TCB info version"
@@ -583,29 +609,9 @@ impl TCBLevel {
         //    16) with the corresponding values in the TCB Level. If all SGX TCB Comp SVNs in the
         //    certificate are greater or equal to the corresponding values in TCB Level, go to b,
         //    otherwise move to the next item on TCB Levels list.
-        for (i, svn) in [
-            self.tcb.comp01svn,
-            self.tcb.comp02svn,
-            self.tcb.comp03svn,
-            self.tcb.comp04svn,
-            self.tcb.comp05svn,
-            self.tcb.comp06svn,
-            self.tcb.comp07svn,
-            self.tcb.comp08svn,
-            self.tcb.comp09svn,
-            self.tcb.comp10svn,
-            self.tcb.comp11svn,
-            self.tcb.comp12svn,
-            self.tcb.comp13svn,
-            self.tcb.comp14svn,
-            self.tcb.comp15svn,
-            self.tcb.comp16svn,
-        ]
-        .iter()
-        .enumerate()
-        {
+        for (i, comp) in self.tcb.sgx_components.iter().enumerate() {
             // At least one SVN is lower, no match.
-            if tcb_comp_svn[i] < *svn {
+            if tcb_comp_svn[i] < comp.svn {
                 return false;
             }
         }
@@ -628,38 +634,24 @@ pub struct TCBVersions {
     #[serde(rename = "pcesvn")]
     pub pcesvn: u32,
 
-    #[serde(rename = "sgxtcbcomp01svn")]
-    pub comp01svn: u32,
-    #[serde(rename = "sgxtcbcomp02svn")]
-    pub comp02svn: u32,
-    #[serde(rename = "sgxtcbcomp03svn")]
-    pub comp03svn: u32,
-    #[serde(rename = "sgxtcbcomp04svn")]
-    pub comp04svn: u32,
-    #[serde(rename = "sgxtcbcomp05svn")]
-    pub comp05svn: u32,
-    #[serde(rename = "sgxtcbcomp06svn")]
-    pub comp06svn: u32,
-    #[serde(rename = "sgxtcbcomp07svn")]
-    pub comp07svn: u32,
-    #[serde(rename = "sgxtcbcomp08svn")]
-    pub comp08svn: u32,
-    #[serde(rename = "sgxtcbcomp09svn")]
-    pub comp09svn: u32,
-    #[serde(rename = "sgxtcbcomp10svn")]
-    pub comp10svn: u32,
-    #[serde(rename = "sgxtcbcomp11svn")]
-    pub comp11svn: u32,
-    #[serde(rename = "sgxtcbcomp12svn")]
-    pub comp12svn: u32,
-    #[serde(rename = "sgxtcbcomp13svn")]
-    pub comp13svn: u32,
-    #[serde(rename = "sgxtcbcomp14svn")]
-    pub comp14svn: u32,
-    #[serde(rename = "sgxtcbcomp15svn")]
-    pub comp15svn: u32,
-    #[serde(rename = "sgxtcbcomp16svn")]
-    pub comp16svn: u32,
+    #[serde(rename = "sgxtcbcomponents")]
+    pub sgx_components: [TCBComponent; 16],
+
+    #[serde(default, rename = "tdxtcbcomponents")]
+    pub tdx_components: [TCBComponent; 16],
+}
+
+/// A TCB component.
+#[derive(Clone, Debug, Default, serde::Deserialize)]
+pub struct TCBComponent {
+    #[serde(rename = "svn")]
+    pub svn: u32,
+
+    #[serde(default, rename = "category")]
+    pub category: String,
+
+    #[serde(default, rename = "type")]
+    pub tcb_comp_type: String,
 }
 
 /// TCB status.
@@ -759,6 +751,9 @@ pub struct QEIdentity {
 
     #[serde(rename = "tcbLevels")]
     pub tcb_levels: Vec<EnclaveTCBLevel>,
+
+    #[serde(default, rename = "advisoryIDs")]
+    pub advisory_ids: Vec<String>,
 }
 
 impl QEIdentity {
@@ -920,10 +915,10 @@ mod tests {
         const RAW_QUOTE: &[u8] =
             include_bytes!("../../../testdata/quote_v3_ecdsa_p256_pck_chain.bin");
         const RAW_TCB_INFO: &[u8] =
-            include_bytes!("../../../testdata/tcb_info_v2_fmspc_00606A000000.json"); // From PCS V3 response.
+            include_bytes!("../../../testdata/tcb_info_v3_fmspc_00606A000000.json"); // From PCS V4 response.
         const RAW_CERTS: &[u8] =
-            include_bytes!("../../../testdata/tcb_info_v2_fmspc_00606A000000_certs.pem"); // From PCS V3 response (SGX-TCB-Info-Issuer-Chain header).
-        const RAW_QE_IDENTITY: &[u8] = include_bytes!("../../../testdata/qe_identity_v2.json"); // From PCS V3 response.
+            include_bytes!("../../../testdata/tcb_info_v3_fmspc_00606A000000_certs.pem"); // From PCS V4 response (TCB-Info-Issuer-Chain header).
+        const RAW_QE_IDENTITY: &[u8] = include_bytes!("../../../testdata/qe_identity_v2.json"); // From PCS V4 response.
 
         let qb = QuoteBundle {
             quote: RAW_QUOTE.to_owned(),
@@ -934,16 +929,16 @@ mod tests {
             },
         };
 
-        let now = Utc.timestamp(1652701082, 0);
+        let now = Utc.timestamp(1671497404, 0);
 
         let verified_quote = qb.verify(&QuotePolicy::default(), now).unwrap();
         assert_eq!(
             verified_quote.identity.mr_signer,
-            "4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459".into()
+            "9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a".into()
         );
         assert_eq!(
             verified_quote.identity.mr_enclave,
-            "9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e".into()
+            "68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f".into()
         );
     }
 
@@ -954,16 +949,16 @@ mod tests {
 
         let qb: QuoteBundle = cbor::from_slice(RAW_QUOTE_BUNDLE).unwrap();
 
-        let now = Utc.timestamp(1652701082, 0);
+        let now = Utc.timestamp(1671497404, 0);
 
         let verified_quote = qb.verify(&QuotePolicy::default(), now).unwrap();
         assert_eq!(
             verified_quote.identity.mr_signer,
-            "4025dab7ebda1fbecc4e3637606e021214d0f41c6d0422fd378b2a8b88818459".into()
+            "9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a".into()
         );
         assert_eq!(
             verified_quote.identity.mr_enclave,
-            "9479d8eddfd7b1b700319419551dc340f688c2ef519a5e18657ecf32981dbd9e".into()
+            "68823bc62f409ee33a32ea270cfe45d4b19a6fb3c8570d7bc186cbe062398e8f".into()
         );
     }
 
@@ -974,7 +969,7 @@ mod tests {
 
         let qb: QuoteBundle = cbor::from_slice(RAW_QUOTE_BUNDLE).unwrap();
 
-        let now = Utc.timestamp(1652701082, 0);
+        let now = Utc.timestamp(1671497404, 0);
         let policy = &QuotePolicy {
             fmspc_blacklist: vec!["00606A000000".to_string()],
             ..Default::default()
diff --git a/runtime/testdata/pcs_quote_bundle.cbor b/runtime/testdata/pcs_quote_bundle.cbor
index d5c80292c37b787e78c947184cedb11bebb3a195..ea4b1cd8a097624eb2c6f164ab1e1c9234194f62 100644
GIT binary patch
literal 10952
zcmeHN35+DySsvfsvb`JZwM~3wHIZeL*`@31IwsiWy{hW!>gnp9I{K(acBrnZuCBiC
z>TYN4;7G*S*bea_WfNiH2nix^gl*(RL<kdO8yN)wAqFHMk+EVRL_{bej!ev}o@1wb
zcD%E@RsiAB>{j*vj{krE`;S-k{ZBaqr~C!a@p^;4b%}c{x}YR0nInRvn@U0vfGN$W
zn5rm3Fckz)Tk}DvK;SF6N-YqG${@d%>j1-wC#qn*lSs)tpU8!RZz*f-k}|E~66zmf
zwkX*u^kqQg5Fyl!LL4s@LO+MQmXb(~%9Q47xHOh)z=D1z4?$a%a*d%Y=lhD38DUNf
zj+|x!w+sAG)wNLaEitcYNf8W83r%JjP%O)diDgP@71U>p1P}_*q{0-Wu#H(Q6EyOs
z3hAO~O0+8GCaNig854}vL>ti*Vu2QxMaffPC}W$V=jTP&MJ<4)U2unXA>LB;b|{0H
zWNRW!q{=P5Q5KM7R4T;Ke^pm*jLJ1Br$S{WA`HWHj!d9+O1?&pt4?!6+zn}cw2}-|
zwLV&hC1Pm3vJ|HBxhX8EP?h1ND;p}!17DH_Ve>hZk^ol#lrjmK8&4;0L9eXwWVtDi
zu=SNDsPe?RG|986DwB{?ZoK76ybY7APDwOihvi<Q8k=S)fgX=K?e<V^1U<EEuN25e
zZHP@ecFiy6Lcgqp$q=nm$7>M!VWJIkN;9Vtjjo$fT2r4j^0^+b$<ulZcEd0i?Us&L
zFevpy!-UDURPZ&r1ns1bJ4uyEPxxA?m_plI>R4m~FBR3Hn@kZ7r8i2+Ov7nK^!yY{
zH#dwT-OP;22EU=<L?&6784=nIBVI2Rk#tC5h+`H)OG+eZ+8-3zywO<0G^v@@Elp%}
zLmyT2yb9=OCtNX<U@X)kbCp98AY;wsle!8)g_A%H02Q=nO2#6ML!b%(cYrEsf&zJg
z3$q{-Q<`IOAOj&!(#)FEt=WDltK;>FGnl|$UzSsO5P%w18I*e&xi9B9D@hWBs|Qx5
zy}mvq_);e}^|(~CI;=sw4a3`R!)E>`WyIY+Ics?rf33~@)!6peciW%;YyK+cHvLtL
ztEMuI{$<QMk<GWmtw^)wuV)-;wjvF7wxMP#(qOYtlc<MMXeBqJp#Ze)$S4BM5j7u3
z0@IR0RaC4}wiXN43w>c~OKSm(5!oPXr1eC#AlJ$*m`_#mt-3`IDWz5yEh~+y<1F3m
z_9s@Y0qusFx5kNevY&!$@o8f%3$fu;fI|^fX2xu&k}QIP54E7AO$&t%jt7;jI7sD<
z5dq3s!;yO;G&T&MlZ+`$VXEZ$x(&r@J<)cPdgx5sqcj=$quwbs8#Sw_H=IcvcUt)=
ziq&<8%uifIkNg(}L>xmwerS>WAdPSMZ4~fxO@8D`8JKRO!8PE{IBK+%@U>l01lt)#
z#Emer4zy$p0!@qp-)1Crr49d8RFpuF&mu)jvowV5$U~x`fl&9AD##XMajmYe7`zY|
zqLXR2!}M@nPxlLQC1wSzY!rDK1vWGEF%U?APT`GSvaR-4itTti)-N(yUMq}~IvAC5
za@N%~)){s6qTN;A&1b!?_p!izD(DA(%N`7S-uM$t*<(nWt;9Lcb;<-@j#CuFmE#QK
zQXWM+ob6GROH?Sz^U4*Tay=Gj34-$QIQq%Z3>xlmJWj=J%8j$6>yh!Y%Xzj_F4I(;
zAsC)v$`#sn3DTo+ui|o4G@hn-&t+|{<F%ZIJ&NS=T7zIPu`WD#_j2GauP$rS^3mmy
z*XsxE*77QObUEnvhn{E;Jk&_yBzcTLe~d|xt8{#oVoIoc%Nq}J9e2AAbqptt5%IY`
z=-45R?8eX@po!6Rc4pWtd%fjVf;zg~4Ej#rYk1B8F~K)4H1SEgYWM4?EwOo_HhVDW
z1?Azu>mxcrY>hhgeXjr3TySf)jr-!rh(A(;--@JM<^(zsXW6*O@=P43B%UECHo>w2
z!vT)u0glHRAaJ52vN%EG5a$Sp^EA!lLYzgM&}>0})akX|NX^92Wu%a_H}V=t{9m{`
z`n9}@wxB=ikC5J(<FgKPYA252youwhv%g5~XpAvH78NNV*D>3(-p7ybnk>FJ8GejF
z`$OzGS#~(cR%WvyHM^sr-|kHmF%ooH$)K~=F#{aKahhe9?>q%NdVw9m&)8At$d00D
zwB~*ACwKG5<B>V;rMvwtmn8Uk{v=P$6ZS13u_z&T4Cmeh32|~>ptBbF&f`^NTptTs
zmG)EHPu693Z^j5iE+R(TK>|7ODT4&ER(_SnR|$OYAi>S`sWkf?2U#<YGdP1>D!LG-
zj^im&Y})*ZL^CHH6p!$k59}RQP{-Xa*7wJV?zEeob_)f+4fmTl9eZ@yK{3on){dA#
zC2JtwgBhn~$?i2KN7TUSwVk%>9oY<bk@?TY@^fReMl7$YCr2ZN9Z939-(>=%#2w5R
zCoqfV5ktu+=JGbj`2jO&x7)}#^7&24c0MD++oa;}`O}@VeVQqQpcV`qWsS(d@jYG8
zC?xG3%0)rT&v>5exkz_=M;?ZVqxK!4fQiqCqW{l({NC^ENt-#RJr>%nO5hKBvl9Sl
zxj(Tzr{`Sj%=~(O?4n!#Z}ID&)SfRUE;2esyqjO|FSW)wX2G9{g<O9Q9zVZ>@9%ze
zyxhON?DTjvDmrtXJe0n7=g7He{=PYEC+D+C^84T1lYxD|Pdm(E@vVYDhgkHALhqU5
z_ZJHYd?6MPi^-m#7P3EyFC4^4GCDQxI3JMIVh?t)$F9Tt;v5vYaQ>$_Vx9}dE%b=q
zkmlq#Ys<d#_|DG<IPRhMe3o-Ohhllsb2-+o*tBDp@v@7%6i0DfC0^z|hNC^2V_lrH
zZPdsx@d{1itc$)F;0#e=Sf)a-=$im-lQvGUBu{b-(k4N84EknJ;a$qbJ<hcqmmzH0
zW6`@WW7DM99kvIab>;MerSq4f>%h_#OOKxDQUCe*^lv|gUGePW_g;L-_aA$rdDVxH
zU;E^LJ)(Z~?>~Gz>UZgZgIB!s&Uw+}zOIWldtI=3uip33mtsHv>#whp|8mRaKbF4n
zdnek@zEZg2?iYUf)o+#ghaWlJq$l3_^QYx6C%=32OE)ObJ@ZN9rW;<o`K|bU&sHyf
z<0Har4_$Y<@&D89=huR-|83*;^B@0<W}SQZqUlxB!^9Ka%14Ug%W~}J%1<A>?T*hr
zfBbJgcjyJ7k^SfDt^9R*@qt74)4AVx@R4Hg^?!fq14~QGcVyoD%RfDM&C&n(*XP0a
z9(?E8dyjzS=Z_rz=xg|aZ@-9NqZ~d|efy!ypZw0vUwGw@-oE4I>wkB&^!hK2|L$HU
z`{Rcn|K1O-3kLVuZ{G9ZiN~Hk_~vboe&`=o@UPr;^<Cet-<;PTc;(X%-gx09cm0Te
ziFoF%qhEUU;)B=ScU9r(SJw|X@Yz-S$+y3C@Jwys>P@A8XY>B`8-MG>3qMGGqE~qF
zjgOBHU;fpK{*Ax>)He@Z^vNqrw|wRgJEz;DU(FVVuRXDT`x95)8@}|weJ7Ukzw^+)
zbq-&4>GcQ1Pyfl?@0@P@xwfB&yyaZ3-Us_0``WGdUjO8XyZwvgZ}xAw{%hl}y!Fi2
ze)f%TPX6GtH=b_p<~{2#-DX_<<&|Ii8REN_5Qhfzjjx2iUt0Ocmp?_zxBl79R{yc(
zFTVKPk8XP7e)wqj7r%e;JrDK&>Q_GhPe1(Qo1eS?<8S@&$kNhz=U;H)MHgRk=>hDr
z%da?i=mS4><yD8TzUJDW{@``j-*DqiAG&Diu7gWUr-3RY&J+Zg3bvsNA)Hn?i)2|p
zR)Bpg(<hs$=1LskoU<ERbVMmYXv_>wL(pPr9-o7vF@YLF2JupppOg_wsF^3BNWl+v
zY-@l<@)JkqC+M4Yr%cl0ga~FI!y#}~fyh)5m{&zuWZx>Ls#};Gg5(rT1gU7&ZQK!7
zRUw~O!(`RTs5ND*)&PNE#^^pS%xLvF8dj*mP&JfL*?<m35jM7<LsKVwKPP3<i1XZ6
z_nlB9wum*JDb$D|M0XBrJR_(vI~rpoW4Inc>1lPWP0|y(hF<V<FdYClJ1I5tIi<%n
z!%4D|hD<NX%Y(sKZYByVp`!&=eT=JEMYlz(Rm59frqxx}1agd^MqkY$=vfqMix7s9
zFB4Q|q>rjh4yGoqiDN29!+bdM@*?bQVHhP52C6Lh#V&NJjm{1TBN5uhJZypO#4WaA
z3o6s{gn4W-!iCb5HBD2nW|NsoS>$V$Ng#lC+saCfGQuZIa${JU61(w8=;<`mONC=<
z&78zI!s3`@Cy8S@B4_R!k3^7sHndU^yipxhGeE;31`#nWBAh<(!=!Jm?Q8^^rg5wn
zt0t9Z8Xxy7>!#8Q+uc^wzmSuKpetjBQl?E!LbEBM?<evI|CEIYW<E(rrXnRzK^G7m
z0Y<wAL@<qb3c9pGN7(fa1{mU;K;;D>HU&EL``v0ikXIxe`K=^CAJrtRbD;#R^xV>X
zXNLDg^cmi>r4Zozr~#Z}Kz$E-TR;+=YCwOF0pTt>ngB;i!gn=n(CIzs5oEQ&czy|0
zu-!1X=Bk9~cm%`G>jK3nOae{{gzK>wTKSGE(!;z>gqncb!^8p|#RE+SGVDf!Rlv=R
z<D?Db)*^Im(ZHaO3@o(cu&MPiHDj8^&ZxlZYGqJ^67<_Uw=$`U)~;QF2*N|q-Hbk`
z0~nQ@oMKl{)SS^5;A>G2L5S%<@l7Mc=0mPpEtyjtMd*e(3W8XvsTXSEP$)H9l~S2A
z!tq$|3yKgHCuKKnj}sJ38Vzi%q=acxklVvnCRr5gMyfJaV~w>|zh#{RF5jp{bu{Ew
zvde>1epGZwUS3IdG^v#$*0t%>PZR|{p4%!q*s3|eRN3EABcq<Ik%>wm1Zb2=9!Hr1
z?#vE5lS5R55}s*x*qI!#s1oI5b^u-?#K&0?CAb<&aAGc0O=u(9RGrS#)Fc=yHQ;X+
z;;5>;Ro=59x~AcMKPQh-iA)Jq`rvz(17T4;&=yF4HW)n?)dNKt0)owQpnYKU83V@H
z0ZBB9MiwK5;j}XjS=viMmXs!<>=)v_qA(bfgS?sUGS#&@GhN9AdP!(?b+*&bj{I)I
zGscak*+?}o&uj){!J1OtEIb>Gex}5vz5&vo4Mu<JWVcU@zER*^Y>HkmX|Dkcr<LQy
z^(@FcX{w=x`^D(74Uis{XwBD(&73##-C{pq5Abj$VDgq+pmK>ANe=Czhg&JJM&vxK
z1y;<ONZ3K#LC$NH2?I36__$s%^PN$f&b23jVU2rYA>GXBw4m^rwMk_?vvLl;`+iN$
W*_H2Yx$FBiHSgEdyw^1~OaBd;^1j;u

delta 2716
zcmeH|drVVT9LEcyK<!+E#h@02iW4V{d(VBA$K<y6Ld&DHyi1&VpM60K6k3WP!?!bw
zF_$cc%w<lO_?S*51eZ9cZp+m8n2QUJ&8bo5A7=57In8F&T^_nM<DX^!dj2^lpZh)c
zcYfdVJLjCOIaP9Gb9@g8Fj&Gl3;?493nV~*L<$_>MF|lJfe>+$U}2c#04`vpgklmW
z;V4h=l2IZN4ug!4Q6K=u8U+DD1X2=FBY^@Q1~5r-xCkj41i-v9SAbCw5^)X^a1<3p
z0u=y3=$b`8-^hl<RUSd~w|Uwk&S|moyo9B*AS@fkt6?Y?L33ePb|mPMKsJPD!`KVh
zV303q^f6$dFCimFu1HFguO-&Ww-RT|ygF~ZzdhM+oSDaTzt!z-<GEEHzZCfB#mG71
z@ft%&Yz=w>enT$EGI)Z)c9CY=L_@9tKtPE(z7UAW1t1s5_Jm~Z^L0!zT<+J{V}N{5
zlimZt!I1JFG|LclbtuvJKvOdWreMf8L!xx(6bu_@0K=k`_>`0g_KXFGqNL=wG@2Rz
z&0uH>Hjzx!TzDdxXf~0I!gBx48lK1|S~!tSG@Hl;l98l*W&d>Yh*tg5#uvr&pKXM7
zMe=2B@^cHLD{Nx(qS?zzoII!S^Gbwu3t}N$UZvH`fh6@yH~-(cE}X;kD0i<X=yCbk
zw)R%B<87Q|5u?OHMij+aP7q*3FajgWvjUG1FvOCCg!2TXJTL$v1cc>SoW}r6uoA%=
z2_uJz1SIjIz@Y+(0s<!iPbx2#AP7bnM=(I}9AN}3D!`KRGzn}5h9Dx3V3?=`B#f*e
zwzLP@L}$|4X{uP&Sc_L_WM|6a`03L%nrF{q<n*~q<-;l3w7$r-UvCT_9a6!4b8Aw+
zEPS}-%za1y$`o<!Ww0~#^A8kZT3X@ak)eAd3r}9K;lyfxY?AKV2l}Qs!xLiL>)W>U
zZg481T|G*W%%VA`pFTLPxqbb}C0$}y*M&zHw;oc72>Yg~bp92r*Y9np#LMU$4zUX*
zA-LMwKw+)z7}bQ5cE(;GIImTyj_#z>n3Un2U(GXL?vK|c<AaSFQ{fv|&aBU`yM6ZV
z@sX7HrWLvG)S6~#)4TUB_aDePb8PmJ3vm^<3Lb5^`0%sxzTF>wz3CNc-@ta~!AM@-
zg2C(k%d@Wbofuuyx}?84@h+|H9L$&c4mIh8BHzlZ^b?(VM#ZP=4i2kRlOHVVzyA-1
zpyYAyRI0m^{o$niFZMUSwsG~1?{7S{R9~VC?%e#-@m+69SzqSxp2EjtZppFp*Tuvu
zqk^=Qy&6yE@1qB{)@H?be`5XdSa0!0)xoPX<2G|AGb}599+MYl)^wfQ*Sq8Wz&WvT
zID7k@^@msLeBFuX*J$HTxR36t{4Mg0YENEEJ3EvPemef{AB&d6EFMZkM|u5Cv`gMU
zDx35faojAGYR9V!vlz0|Y&Mm6TvXU<qFmM*a~<ZVy{-x-P}eC~Egl<WDI&|-=#mbf
zJg6T?58G%fD6cM$lzSbKIyY}C_xhrkyfyVyJ#C}Z77=MFb7PFj5+<o2QR*$LWYAg$
zN9=8+sXkEcvN)Qk4yGi?EUW5ZK&PoPj0lws?JM@=I4C=!_VRYhYUZ0uAtEHTm-rE?
zO5VNT2YoRVcKgbLHq_>&ioJ9QE?VY+$xgL(nWa{KZ{f#tnQ{|VY>u=PS6Ml<+QHZ;
zht*8E7)Gv6>yqVkoqQ+lrXd)%gq>xjfd;EP<W?k*iE>*RHA6WVDs0cm2~+Yf>9=|$
zGHiA^tz)`QFQk03(p3&Btgduf-IT2!;a!1dFKZ5)11M;u9dK!RIo#;=nQO7Ss(Mpn
zsDh(?oj!@CJPZY)CR}m4s2SLUYSdxsq+t;DSxQkp6mf=I1Dw^|;HPTL#i%D-pw1p^
K1Exir;{O6*G@GaZ

diff --git a/runtime/testdata/qe_identity_v2.json b/runtime/testdata/qe_identity_v2.json
index cf3c32bf88f..8a10ab7bfd1 100644
--- a/runtime/testdata/qe_identity_v2.json
+++ b/runtime/testdata/qe_identity_v2.json
@@ -1 +1 @@
-{"enclaveIdentity":{"id":"QE","version":2,"issueDate":"2022-05-16T10:34:11Z","nextUpdate":"2022-06-15T10:34:11Z","tcbEvaluationDataNumber":12,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF","isvprodid":1,"tcbLevels":[{"tcb":{"isvsvn":6},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":5},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":4},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":2},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"isvsvn":1},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate"}]},"signature":"68251f6b5229f1d8232f8db2cef3e7d7e687a118b26d58f45fbf64c7cf9f83b50909d725a9dd03d8fe49742c12188b6e03b5321c58fd14e0e6b0d644de74d277"}
\ No newline at end of file
+{"enclaveIdentity":{"id":"QE","version":2,"issueDate":"2022-12-16T12:45:36Z","nextUpdate":"2023-01-15T12:45:36Z","tcbEvaluationDataNumber":13,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF","isvprodid":1,"tcbLevels":[{"tcb":{"isvsvn":6},"tcbDate":"2022-11-09T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":5},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477"]},{"tcb":{"isvsvn":4},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00334","INTEL-SA-00477"]},{"tcb":{"isvsvn":2},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477"]},{"tcb":{"isvsvn":1},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00202","INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477"]}]},"signature":"6be6247f58edcb10b53368b566d3e34c8ae33d1f33eebf93de707113e05bf9646e62c89035a3d572de25bd8eacbb435616966bf4ad12e40efd837113439ed7a8"}
\ No newline at end of file
diff --git a/runtime/testdata/quote_v3_ecdsa_p256_pck_chain.bin b/runtime/testdata/quote_v3_ecdsa_p256_pck_chain.bin
index 075eee9f9e722d0404ea2306a1af38caef781621..bc241e0746a2dfb3d4382bf589f4d2c125f98cf7 100644
GIT binary patch
delta 884
zcmeyT@=JxAnSqG`1UMOZCvvN@b8zzU{{PQ7@uKF$1ObJNChKGR4)Y#c8NE{H`R96N
z<E;G6C&GEF54N3tkYw4{Kk=f1!mR)2*SYWTc%!pk#&gT2=3qIQBdR}5n>J^#J=Jo)
z-YYfn;{19BrmW0!H*@Tmre4g=w&-K660Q<4oK~2o72$H+UEd~Y9iOfJ%<Z)|X7e9(
z&hdYlp<yW%6w$@sVG_EqyFa4n@rPpq3=B&4elISa<P+2R{Cd0NyYBzu^$Lzk+Z9Bt
zuN!baJYpc`DZ-!er<Z5`bJfKs4*an{F1@yl;c;Wdt$H(G|9^c`-+h(JENM!7QP(|d
z$~wLmwv*-WX&dZ}6ODVAtr`~Cbz(xdEDL+wFUw<wn||u7Kh4G`)g&Cg?sNcWveRa(
z#QA?7@FBuxatf1x!a3O$vkrdsYA6an^0cNxglA7$(3Pw0*Z5hRg`(6a?JEEV&g3mj
zO^loqFWM>;NfxJ?U)QLYo?m8Rx5{W~vAXo(ik&|<9oBn#t#bEFS)gKv+`52cw!xx1
zv?ppBzF{}yFENolQNA@w`~LBE6L*a>s*%N0lvW+t@=NY%htuT3gpX`>y~US1=REmw
zNOem`&Cef`zc8z?#PKmOOy=d5*KxH7advj{%1n1G_jGbh_Y8F|uS&CsG%`0&*AI6p
zj`S-w%Js_CHgz<xNS>U|vRSdhH_Oq`H^dc0SA=II`}t;NqlitmW<3z$Usl0oWEPx~
zYG@qf<699}=~HQvWe{Qz>g1E@nBrd<l@k`~S!9u0Ug?qM<78IkVd-8{QsJKK7Oq{M
z9GICARAJ!Dl@^rf5}6lakeBM0SLo^OY*djrIhgIHj8kfmiCK|Xd4;ieNTt4oVWfqb
zM}da{SEylV$Yc-prHmev-?57`dQE2Is9|)S+|2P=$)Mb$JkrNIKgu(sEW^(+(7?$t
z!_$?^)iK%2u{=Ouzua~549<u3fsW<Q>5-lwbyZmguD~#H2`YCi=L&N4Ob-e6GY>1b
z$jFEasR{~l^~nh-%goe|$_)z7aw&C=%FRoQO0ozpuc!zrcJ_2GkEl#a@ky+3Gj{R_
z&f)To@+|iWadyuy&GYk!aLEq#N~`eI&+*PH&Wq&I1p!w-7lp|?_zXAeatE>l020Af
ADgXcg

delta 875
zcmeyR@=t}EnSqG`1lSpPCUUE?v$FE={Qu85@uKF$1ObI9l{enrzrJxhgW(j(P}#!{
z-#QMx51bVzky>}&Xol?Gc@r-xC^)Fz+Wz{M{Jt}OX66ZbOhO_TzR2XVDE&3>*6QwP
zY>AwBaeh66hMU;Ie_syrJifc(oCs%4&6)3KJJ&L#8YkL0c}rh3ZOqGx3NrI?(N8iC
zNbxE&4DpO|G%YGMb<8!f2yhLE$Uh~(z_4+Ki-N1f^%+N`oX^i<7ZEkvn#1Gdpm*_5
zvrYKp6VG?tl3>q`vFZwQ;uBD;U1FcNO8?L%;SFb49@_eTZ#nyIr|*=73y!w&rmfiA
zAGx~H+FEYw-C6cJSElTFT3w_*D}?j8i$K*@o3trwb7fN8vg59}{1tI#^IzYz`Z|}a
z=ojT#?-5}$IfY3;VV#i8{*^gutqJ$9-v8$ja?Zu}$%9{kml`E}rf6JW?C={HIFq+9
zH8HYJylAT+v4kg6<LlE^onbocwQD?YZ)$XJWmtWMo25NzpNdD!J)mL-jnJBtD;g)x
z$v>Hzb6vOpN%Oimk?dN|Q`G`2doni84f<SpoMEwbVQJ!aMWZ`AdVeabGpcUqG<ljV
z^T4EL^2(=^zc8yXCQX)PQPHY$c6Rd0Om{5zbaG7h40R4S&2!00_jk<?uS)Us$n-Pt
zaI^3!aq+6io}A9IS+U&D#nZ?)#JAEnE3h&=BiYY4D;q^@vNh|02p2y`E{{~>LZ1v%
zS0|5h3&&z}?<}7nSCcSTGvj~~3#W+ukaUm0T*nGmuVPp2;0jlxDyN`w<CGv*mu&Y;
z{XoY6W3H^^07p;f<N|L4^Rl#3uRLSN;K{*kH)Y%n$}_Tkiv3LdvK-yBT*?gHv@;DY
zs<=G0J;Ek?urFnFo&1hn97wWp)G#_uZsz!`R9x;+9_izqALW@*mf`0ZXyD|S;pxid
z>KN$iSRSCSU+y@02Is^2G>dZQ^hi&Tx~eP#pp>UeaG+y3S5UfVhNEAEadLWoK~|!3
zxpTgWQI1QXp|`KEVNO=IbC_v(aD-D%nSYW?c2#zoi({s%qk)N&88B4c3XB4Zxl96`
qs$2|>%CkMZO_IwhBg>2OlRTZH@*G2*-AyvfZMk$oVDlHQHg*6@^iEv>

diff --git a/runtime/testdata/tcb_info_v2_fmspc_00606A000000.json b/runtime/testdata/tcb_info_v2_fmspc_00606A000000.json
deleted file mode 100644
index 2d2e3a391cf..00000000000
--- a/runtime/testdata/tcb_info_v2_fmspc_00606A000000.json
+++ /dev/null
@@ -1 +0,0 @@
-{"tcbInfo":{"version":2,"issueDate":"2022-05-16T07:22:26Z","nextUpdate":"2022-06-15T07:22:26Z","fmspc":"00606A000000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":12,"tcbLevels":[{"tcb":{"sgxtcbcomp01svn":4,"sgxtcbcomp02svn":4,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"sgxtcbcomp01svn":4,"sgxtcbcomp02svn":4,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"sgxtcbcomp01svn":3,"sgxtcbcomp02svn":3,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":10},"tcbDate":"2020-06-10T00:00:00Z","tcbStatus":"OutOfDate"},{"tcb":{"sgxtcbcomp01svn":3,"sgxtcbcomp02svn":3,"sgxtcbcomp03svn":3,"sgxtcbcomp04svn":3,"sgxtcbcomp05svn":255,"sgxtcbcomp06svn":255,"sgxtcbcomp07svn":0,"sgxtcbcomp08svn":0,"sgxtcbcomp09svn":0,"sgxtcbcomp10svn":0,"sgxtcbcomp11svn":0,"sgxtcbcomp12svn":0,"sgxtcbcomp13svn":0,"sgxtcbcomp14svn":0,"sgxtcbcomp15svn":0,"sgxtcbcomp16svn":0,"pcesvn":5},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate"}]},"signature":"68a39fa09446abdd13d9294cadc5710a87f6c7083b207d3aba6c5217af7c979b5e70fcedb4d8427682c8cefddd9163527cb792a4d1f25ada533ec355e44679ad"}
\ No newline at end of file
diff --git a/runtime/testdata/tcb_info_v3_fmspc_00606A000000.json b/runtime/testdata/tcb_info_v3_fmspc_00606A000000.json
new file mode 100644
index 00000000000..fc35f8f11eb
--- /dev/null
+++ b/runtime/testdata/tcb_info_v3_fmspc_00606A000000.json
@@ -0,0 +1 @@
+{"tcbInfo":{"id":"SGX","version":3,"issueDate":"2022-12-19T09:40:10Z","nextUpdate":"2023-01-18T09:40:10Z","fmspc":"00606A000000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":13,"tcbLevels":[{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":1},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"SWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":7,"category":"BIOS","type":"Early Microcode Update"},{"svn":9,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2022-08-10T00:00:00Z","tcbStatus":"ConfigurationAndSWHardeningNeeded","advisoryIDs":["INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]},{"tcb":{"sgxtcbcomponents":[{"svn":4,"category":"BIOS","type":"Early Microcode Update"},{"svn":4,"category":"OS/VMM","type":"SGX Late Microcode Update"},{"svn":3,"category":"OS/VMM","type":"TXT SINIT"},{"svn":3,"category":"BIOS"},{"svn":255},{"svn":255},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":5},"tcbDate":"2018-01-04T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00106","INTEL-SA-00115","INTEL-SA-00135","INTEL-SA-00203","INTEL-SA-00220","INTEL-SA-00233","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00586","INTEL-SA-00614","INTEL-SA-00615","INTEL-SA-00657"]}]},"signature":"00ebb478cec3792ed87afa4cab0bd0d38388f5b9e684e487d08aaab0665f4207d72d061f676f1739e4a2a0172928620311e6efdf9d3d0e8dacd61a4e77966a42"}
\ No newline at end of file
diff --git a/runtime/testdata/tcb_info_v2_fmspc_00606A000000_certs.pem b/runtime/testdata/tcb_info_v3_fmspc_00606A000000_certs.pem
similarity index 100%
rename from runtime/testdata/tcb_info_v2_fmspc_00606A000000_certs.pem
rename to runtime/testdata/tcb_info_v3_fmspc_00606A000000_certs.pem
diff --git a/runtime/testdata/tcb_info_v2_fmspc_00606A000000_certs_bad.pem b/runtime/testdata/tcb_info_v3_fmspc_00606A000000_certs_bad.pem
similarity index 100%
rename from runtime/testdata/tcb_info_v2_fmspc_00606A000000_certs_bad.pem
rename to runtime/testdata/tcb_info_v3_fmspc_00606A000000_certs_bad.pem