README
¶
PCCS Administrator Tool
A command-line tool for managing Intel SGX DCAP PCCS (Provisioning Certificate Caching Service).
This is a Go reimplementation of Intel's Python-based PccsAdminTool, designed to be more lightweight and easier to use.
Installation
Using go install
go install github.com/KarpelesLab/intel-dcapd/tools/pccsadmin@latest
Build from source
cd tools/pccsadmin
go build -o pccsadmin
Run without installation
go run github.com/KarpelesLab/intel-dcapd/tools/pccsadmin@latest <command> [options]
Usage
pccsadmin <command> [options]
Available Commands
get- Get platform registration data from PCCSput- Upload platform collateral or appraisal policy to PCCSfetch- Fetch platform collateral from Intel PCScollect- Collect platform data from CSV filesrefresh- Request PCCS to refresh cached data
Commands
get - Get Platform Data from PCCS
Get registered platform data from PCCS service.
# Get all registered platforms
pccsadmin get -u https://localhost:8081 -o platforms.json
# Get platforms whose certs are not available
pccsadmin get -s reg_na
# Get platforms from cache by FMSPC
pccsadmin get -s [00906EA10000,00906ED50000]
# Get all cached platforms
pccsadmin get -s []
Options:
-u <url>- PCCS platforms API URL (default: https://localhost:8081/sgx/certification/v4/platforms)-o <file>- Output file name (default: platform_list.json)-s <source>- Source:reg,reg_na, or[FMSPC1,FMSPC2,...]-t <token>- Admin token (or setPCCS_ADMIN_TOKENenv var)-k- Skip TLS certificate verification
put - Upload Collateral to PCCS
Upload platform collateral or appraisal policy to PCCS.
# Upload platform collateral
pccsadmin put -i collateral.json
# Upload appraisal policy
pccsadmin put -u https://localhost:8081/sgx/certification/v4/appraisalpolicy \
-f 00906EA10000 -i policy.jwt -d
Options:
-u <url>- PCCS API URL (default: https://localhost:8081/sgx/certification/v4/platformcollateral)-i <file>- Input file name (required)-f <fmspc>- FMSPC value (required for appraisal policy)-d- Make this the default policy for the FMSPC-t <token>- Admin token (or setPCCS_ADMIN_TOKENenv var)-k- Skip TLS certificate verification
fetch - Fetch Collateral from Intel PCS
Fetch platform collateral from Intel's Provisioning Certificate Service.
# Fetch collateral for platforms
pccsadmin fetch -i platforms.json -o collateral.json -k YOUR_API_KEY
# Fetch only CRLs
pccsadmin fetch -c -k YOUR_API_KEY
# Fetch with early TCB update
pccsadmin fetch -t early -i platforms.json
Options:
-u <url>- Intel PCS URL (default: https://api.trustedservices.intel.com/sgx/certification/v4/)-i <file>- Input platform list file (default: platform_list.json)-o <file>- Output collateral file (default: platform_collaterals.json)-t <type>- TCB update type:standard,early, orall(default: standard)-k <key>- Intel PCS API key (or setINTEL_API_KEYenv var)-c- Retrieve only CRL
collect - Collect Platform Data from CSV
Collect platform data from CSV files produced by Intel's PCK ID Retrieval Tool.
# Collect from current directory
pccsadmin collect -o platforms.json
# Collect from specific directory
pccsadmin collect -d ./platform_data -o platforms.json
CSV Format:
EncryptedPPID,PCE_ID,CPUSVN,PCE_ISVSVN,QE_ID
<data>...
Options:
-d <dir>- Directory containing CSV files (default: ./)-o <file>- Output JSON file (default: platform_list.json)
refresh - Refresh PCCS Cache
Request PCCS to refresh certificates or collateral in its cache.
# Refresh quote verification collateral
pccsadmin refresh
# Refresh all cached certificates
pccsadmin refresh -f all
# Refresh specific FMSPCs
pccsadmin refresh -f 00906EA10000,00906ED50000
Options:
-u <url>- PCCS refresh API URL (default: https://localhost:8081/sgx/certification/v4/refresh)-f <fmspc>- FMSPC values: empty (default),all, or comma-separated list-t <token>- Admin token (or setPCCS_ADMIN_TOKENenv var)-k- Skip TLS certificate verification
Environment Variables
INTEL_API_KEY- Intel PCS API subscription keyPCCS_ADMIN_TOKEN- PCCS admin authentication token
Workflow Examples
Setup PCCS in OFFLINE Mode
-
Collect platform data from machines:
# Run Intel's PCK ID Retrieval Tool on each SGX machine to get CSV files # Copy all CSV files to a directory -
Collect CSV data into JSON:
pccsadmin collect -d ./platform_csvs -o platforms.json -
Fetch collateral from Intel PCS:
pccsadmin fetch -i platforms.json -o collateral.json -k YOUR_API_KEY -
Upload collateral to PCCS:
pccsadmin put -u https://pccs-server:8081/sgx/certification/v4/platformcollateral \ -i collateral.json -t YOUR_ADMIN_TOKEN
Refresh PCCS Cache
# Refresh all collateral
pccsadmin refresh -u https://pccs-server:8081/sgx/certification/v4/refresh \
-t YOUR_ADMIN_TOKEN
# Refresh specific platforms
pccsadmin refresh -f 00906EA10000 -t YOUR_ADMIN_TOKEN
Differences from Intel's Python Tool
This Go implementation provides the core functionality of Intel's PccsAdminTool with some differences:
Implemented:
get- Full support for fetching platforms from PCCSput- Full support for uploading collateral and policiescollect- Full support for collecting CSV datarefresh- Full support for triggering cache refreshfetch- Basic CRL fetch support
Simplified:
fetchcommand - Simplified implementation for CRL-only fetching- Full platform collateral fetch requires complex PCS interactions
- Use Intel's original tool or manually construct collateral for complete fetch
Advantages:
- Single binary - No Python dependencies
- Cross-platform - Works on Windows, Linux, macOS
- Easy installation -
go installor run directly withgo run - Lightweight - No virtual environments or package managers needed
License
This tool is part of the intel-dcapd project. See LICENSE for details.
Related Tools
- Intel SGX DCAP - Official Intel DCAP software
- intel-dcapd - Go PCCS replacement
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.