Konubinix' opinionated web of thoughts

Flexible Launch Control


An update on 3rd Party Attestation

What is Flexible Launch Control?

The Intel SGX DCAP primitives require a new feature called Flexible Launch Control, which allows the platform owner, versus Intel, to control which enclaves are launched. This includes which enclaves are granted access to the Platform Provisioning Identifier (PPID) used with the Certificate Retrieval Service.  The enclave requesting access to the PPID can be signed by the attestation service provider. One of the purposes of the Launch Enclave is to prevent abuse of the PPID in privacy sensitive environments.

Building an attestation service requires integration with the operating system, and we are working with the Linux Kernel community to get this up-streamed as soon as possible.  Note that you are not required to build your own Quoting Enclave.


Notes linking here