• Home
  • Explore

Attestation - SGX 101

sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation

1 Users

0 Comments

13 Highlights

1 Notes

Tags

Top Highlights

  • It receives REPORTs from other enclaves, verifies them and signs them with the attestation key before returning the result, also known as a QUOTE, to the application.

  • The successful result of local attestation provides an authenticated assertion between two enclaves running on the same platform that they can trust each other and exchange information safely, while remote attestation provides this kind of verification for the ISV client to the server so that ISV server can confidently provides the client with the secrets it requested.

  • Most of the keys provided by enclave’s trusted interface base their derivation on platform’s RSK so that no other parties can known the keys.

  • The “Enclave Identity”, which is a 256-bit hash digest of the log, is stored as MRENCLAVE as the enclave’s software TCB. In order to verify the software TCB, one should first securely obtain the enclave’s software TCB, then securely obtain the expected enclave’s software TCB and compare those two values.

  • because the REPORT KEY is specific to the platform.

  • EGETKEY produces symmetric keys for different purposes depending on invoking enclave attributes and the requested key type.

  • Quoting Enclave uses a platform unique asymmetric attestation key.

  • The symmetric key system is used in local attestation with only the quoting enclave and the EREPORT instruction having access to the authentication key. Asymmetric key system is used for creating an attestation that can be verified from other platforms. The attestation key itself is asymmetric (EPID keys).

  • Provisioning is the process by which an SGX device demonstrates to Intel its authenticity as well as its CPU SVN and other system components attributes, in order to receive an appropriate attestation key reflecting its SGX genuinely and TCB version.

  • Normally, provisioning is done during platform initial setup phase

  • In this process PvE demonstrates that is has a key that Intel put in a real SGX processor and in return, is provisioned with a unique platform attestation for future remote attestations.

  • IPS’s

  • that binds MRENCLAVE to the target enclave’s REPORT KEY.

Ready to highlight and find good content?

Glasp is a social web highlighter that people can highlight and organize quotes and thoughts from the web, and access other like-minded people’s learning.

AboutPrivacyTerms

© 2023 Glasp Inc. All rights reserved.