feat: add platform-specific implementations for quote verification

- Introduced conditional compilation for Intel SGX/TDX quote verification based on target OS and architecture.
- Moved Intel-specific logic to a separate module and added a fallback for unsupported platforms.

This is done, so we can pull in the `teepot` crate even on `linux-x86_64`
without the Intel SGX SDK lib dependency.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>

crates/teepot/Cargo.toml

@@ -10,15 +10,15 @@ edition.workspace = true
 authors.workspace = true
 repository.workspace = true
 
-[target.'cfg(all(target_os = "linux", target_arch = "x86_64"))'.dependencies]
-tdx-attest-rs = { version = "0.1.2", git = "https://github.com/intel/SGXDataCenterAttestationPrimitives.git", rev = "aa239d25a437a28f3f4de92c38f5b6809faac842" }
-teepot-tee-quote-verification-rs = { path = "../teepot-tee-quote-verification-rs" }
-
 [target.'cfg(not(all(target_os = "linux", target_arch = "x86_64")))'.dependencies]
 dcap-qvl = "0.2.3"
 chrono = "0.4.40"
 bytes.workspace = true
 
+[features]
+default = ["quote_op"]
+quote_op = ["dep:teepot-tee-quote-verification-rs"]
+
 [dependencies]
 anyhow.workspace = true
 asn1_der.workspace = true
@@ -49,6 +49,7 @@ serde_json.workspace = true
 sha2.workspace = true
 sha3.workspace = true
 signature.workspace = true
+teepot-tee-quote-verification-rs = { path = "../teepot-tee-quote-verification-rs", optional = true }
 thiserror.workspace = true
 tokio.workspace = true
 tracing.workspace = true

crates/teepot/src/lib.rs

@@ -9,6 +9,7 @@
 pub mod config;
 pub mod ethereum;
 pub mod log;
+#[cfg(feature = "quote_op")]
 pub mod pki;
 pub mod prover;
 pub mod quote;

crates/teepot/src/quote/error.rs

@@ -4,8 +4,8 @@
 //! Quote Error type
 
 use std::io;
-#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
-use tdx_attest_rs::tdx_attest_error_t;
+#[cfg(all(feature = "quote_op", target_os = "linux", target_arch = "x86_64"))]
+use teepot_tee_quote_verification_rs::tdx_attest_rs::tdx_attest_error_t;
 use thiserror::Error;
 
 /// Quote parsing error
@@ -22,7 +22,7 @@ pub enum QuoteError {
     InvalidTeeType,
     #[error("unsupported body type")]
     UnsupportedBodyType,
-    #[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+    #[cfg(all(feature = "quote_op", target_os = "linux", target_arch = "x86_64"))]
     #[error("tdx_att_get_quote error {msg}: {inner:?}")]
     TdxAttGetQuote {
         inner: tdx_attest_error_t,
@@ -58,7 +58,7 @@ pub enum QuoteError {
     CrlUnsupportedFormat(String),
 }
 
-#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+#[cfg(all(feature = "quote_op", target_os = "linux", target_arch = "x86_64"))]
 impl From<tdx_attest_error_t> for QuoteError {
     fn from(code: tdx_attest_error_t) -> Self {
         Self::TdxAttGetQuote {
@@ -108,7 +108,7 @@ impl<T, E: std::fmt::Display> QuoteContextErr for Result<T, E> {
     }
 }
 
-#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+#[cfg(all(feature = "quote_op", target_os = "linux", target_arch = "x86_64"))]
 impl<T> QuoteContext for Result<T, tdx_attest_error_t> {
     type Ok = T;
     fn context<I: Into<String>>(self, msg: I) -> Result<T, QuoteError> {

crates/teepot/src/quote/intel.rs

@@ -11,9 +11,9 @@ use crate::{
 };
 use bytemuck::cast_slice;
 use std::{ffi::CStr, mem, mem::MaybeUninit, pin::Pin};
-use tdx_attest_rs::{tdx_att_get_quote, tdx_attest_error_t, tdx_report_data_t};
 use teepot_tee_quote_verification_rs::{
     quote3_error_t as _quote3_error_t, sgx_ql_qv_result_t, sgx_ql_qv_supplemental_t,
+    tdx_attest_rs::{tdx_att_get_quote, tdx_attest_error_t, tdx_report_data_t},
     tee_get_supplemental_data_version_and_size, tee_qv_get_collateral, tee_supp_data_descriptor_t,
     tee_verify_quote, Collateral as IntelCollateral,
 };

crates/teepot/src/quote/mod.rs

@@ -6,6 +6,7 @@
 
 //! Get a quote from a TEE
 
+#[cfg(feature = "quote_op")]
 pub mod attestation;
 pub mod error;
 pub mod tcblevel;
@@ -15,6 +16,7 @@ pub mod tcblevel;
     not(all(target_os = "linux", target_arch = "x86_64")),
     path = "phala.rs"
 )]
+#[cfg(feature = "quote_op")]
 mod os;
 mod utils;
 
@@ -644,6 +646,7 @@ impl FromStr for TEEType {
 }
 
 /// Get the attestation quote from a TEE
+#[cfg(feature = "quote_op")]
 pub fn get_quote(report_data: &[u8]) -> Result<(TEEType, Box<[u8]>), QuoteError> {
     os::get_quote(report_data)
 }
@@ -690,11 +693,13 @@ pub struct Collateral {
 }
 
 /// Get the collateral data from an SGX or TDX quote
+#[cfg(feature = "quote_op")]
 pub fn get_collateral(quote: &[u8]) -> Result<Collateral, QuoteError> {
     os::get_collateral(quote)
 }
 
 /// Verifies a quote with optional collateral material
+#[cfg(feature = "quote_op")]
 pub fn verify_quote_with_collateral(
     quote: &[u8],
     collateral: Option<&Collateral>,

crates/teepot/src/tdx/mod.rs

@@ -3,7 +3,7 @@
 
 //! Intel TDX helper functions.
 
-#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
+#[cfg(all(feature = "quote_op", target_os = "linux", target_arch = "x86_64"))]
 pub mod rtmr;
 
 /// The sha384 digest of 0u32, which is used in the UEFI TPM protocol

crates/teepot/src/tdx/rtmr.rs

@@ -4,6 +4,7 @@
 //! rtmr event data
 
 use crate::sgx::QuoteError;
+use teepot_tee_quote_verification_rs::tdx_attest_rs::{tdx_att_extend, tdx_attest_error_t};
 
 /// The actual rtmr event data handled in DCAP
 #[repr(C, packed)]
@@ -59,8 +60,8 @@ impl TdxRtmrEvent {
     pub fn extend(self) -> Result<(), QuoteError> {
         let event: Vec<u8> = self.into();
 
-        match tdx_attest_rs::tdx_att_extend(&event) {
-            tdx_attest_rs::tdx_attest_error_t::TDX_ATTEST_SUCCESS => Ok(()),
+        match tdx_att_extend(&event) {
+            tdx_attest_error_t::TDX_ATTEST_SUCCESS => Ok(()),
             error_code => Err(error_code.into()),
         }
     }

crates/teepot/tests/sgx_quote_verification.rs

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright (c) 2024-2025 Matter Labs
 
+#[cfg(feature = "quote_op")]
 mod sgx {
     use anyhow::{Context, Result};
     use std::time::{Duration, UNIX_EPOCH};