Intel Tiber.

Native TDX attestation requires the verifier to fetch and chain-validate Intel PCS certificates and re-verify the QE ECDSA signature. That is shipped — see the intel-tdxfeature. Tiber is the hosted alternative: Intel runs the verifier, returns a signed appraisal as a JWT, and your relying party only needs to trust the Tiber JWKS. Use Tiber when you don't want to ship the PCS chain yourself, or when you want a vendor-attested appraisal alongside your own.

# 1. Get a fresh nonce
GET https://api.trustauthority.intel.com/appraisal/v2/nonce
→ { "val": "<base64-nonce>" }

# 2. Submit the quote bound to the nonce
POST https://api.trustauthority.intel.com/appraisal/v2/attest
  { "quote": "<base64-quote>", "nonce": "<val>" }
→ { "token": "<JWT>" }

# 3. Verify the JWT against Tiber's JWKS (PS384 / RS256)
#    → TiberClaims → AttestationResult

JWT verification reads the jku header (JSON Web Key Set URL). To defend against an open-redirect on the passive verifier, TiberJwksPin::AllowedHosts locks jku to an allow-list. The default allow-list contains only Intel-published hosts.

claims_to_attestation_result() projects verified TiberClaims into the cross-vendor AttestationResult shape. The fields surfaced are:

• tdx_mrtd, tdx_rtmr0..3, tdx_mrsignerseam, tdx_seamsvn
• attester_tcb_status — must be "OK" for valid = true
• dbgstat — must be "disabled" for valid = true
• attester_advisory_ids — surfaced for policy callers

details["verification_method"] = "intel_tiber" lets relying parties distinguish a Tiber appraisal from native PCS verification.

bind_external_attestation_result in tenzro-zk performs cross-binding of an externally verified AttestationResult (e.g. one produced by IntelTiberClient::verify_quote) to a TeeZkProof. The check verifies vendor parity and at least one measurement match. This keeps tenzro-zk decoupled from any HTTP-bearing TEE adapter.