Konubinix' opinionated web of thoughts

Architectural Enclaves

Fleeting

architectural enclaves

What are architectural enclaves?

In order to allow a secured SGX environment to execute, several Architectural Enclaves (AE) are involved.

  • Launch Enclave (LE)

    Launch Enclave is responsible for assigning EINITTOKEN to other enclaves wishing to launch on the platform. It verifies whether the requesting enclave is valid or not by examining the enclave’s signature and identity, and generates the EINITTOKEN from Launch Key, which is only available to Launch Enclave.

  • Provisioning Enclave (PvE)

    The Provisioning Enclave is responsible for retrieving the Attestation Key from Intel Provisioning Service using the certificate provided by Provisioning Certificate Enclave.

  • Provisioning Certificate Enclave (PcE)

    Provisioning Certificate Enclave is responsible for signing the processor certificate, which is requested by the provisioning enclave. It signs the certificate using the Provisioning Key, which is only available to Provisioning Certificate Enclave.

  • Quoting Enclave (QE)

    Quoting Enclave is responsible for providing trust in the enclave identity and its execution environment during remote attestation process. It uses the Attestation Key offered by Provisioning Enclave and turns a REPORT (locally verifiable) into a QUOTE (remotely verifiable).

  • Platform Service Enclaves (PSE)

    Platform Service Enclaves are responsible for offering other enclaves various trusted services, such as monotonic counters and trusted time, using Management Engine (ME).

https://sgx101.gitbook.io/sgx101/sgx-bootstrap/enclave/interaction-between-pse-and-application-enclaves

Notes pointant ici