one should first securely obtain the enclave’s software TCB, then securely
obtain the expected enclave’s software TCB and compare those two values
REPORT Contains following data:
Measurement of the code and data in the enclave.
A hash of the public key in the ISV certificate presented at enclave initialization time.
User data.
Other security related state information (not described here).
A signature block over the above data, which can be verified by the same platform that produced the report.
Enclaves’ certificate is called SIGSTRUCT and is a mandatory supplement for launching any enclave
Intel is considered the primary enclave launch authority, however other entities
can be trusted by the platform owner to authorize launching of enclaves. The
respected launch authority is specified by its public key hash signed by Intel
and stored on the platform.
SGX enabled ISV client requests secrets from its ISV client, password management
service for example, the client have to prove to the server that the client
application is running on a trusted platform that can process the secrets
securely. Both of those two conditions require a proof of secured execution
environment, and Intel SGX refers to this proving process as attestation.
cryptographic log of all the build activities, including:Content: code, data,
stack, heapLocation of each page within the enclaveSecurity flags being used
EGETKEY instruction to get derivatives of device keys. EGETKEY produces symmetric keys for different purposes depending on invoking enclave attributes and the requested key type
Provisioning is the process by which an SGX device demonstrates to Intel its authenticity as well as its CPU SVN and other system components attributes, in order to receive an appropriate attestation key reflecting its SGX genuinely and TCB version
dedicated online provisioning infrastructure. SGX provisioning and remote attestation protocol follows a group signature scheme developed by Intel called Enhanced Privacy ID (EPID)
The protocol Intel SGX uses differs from the regular Sigma protocol in that the
Intel SGX platform uses Intel EPID to authenticate while the service provider
uses Public Key Infrastructure (in regular Sigma, both parties use PKI)
The attestation key is then used to compute two signatures of knowledge over the
platform’s identity signature MRENCLAVE. The first proves the identity signature
was signed with a key certified by Intel. The second is a non-revoked proof that
proves the key used for the identity signature does not create any of the
identity signatures listed in the challenged SigRL.
A final QUOTE is then generated and encrypted using IAS’s public key, which is
hardcoded in QE, and the result is sent back to the attesting enclave. The QUOTE
holds the identity of the attesting enclave, execution mode details (e.g. SVN
level) and additional data.
the ServiceProvider Application itself. Similar to the client’s application, it
has its own message handler VerificationManager since it acts as the verifier
in the remote attestation process.
has a WebService object to performs the verification phase with Intel
Attestation Service (IAS) using the QUOTE sent from the client enclave. In one
word, a ServicePrivider also acts as a wrapper of all the IAS requests and
message processing, as well as any encryption key derivation, using WebService.
Relying parties are referred to as service providers and do not have to hold SGX
enabled hardware. Service providers are expected to register to the IAS and meet
a set of Intel defined requirements in order to submit attestation evidence for
IAS verification. This registration binds service providers’ Transport Layer
Security (TLS) certificate to a unique Service Provider ID (SPID), and permits
access to the IAS services. Some of these main IAS services are: verifying ISV
enclave Quotes, requesting updated attestation revocation lists and retrieving
the assertion information history associated with a Quote
