0

Picture a cloud provider renting two VMs to a customer. Suppose the customer wants to check the two VMs are running on different physical computers, despite the cloud provider perhaps trying to trick the customer.

Both machines provide SGX and have an enabled TPM.

My first thought was to use remote attestation and compare the keys used, since each physical machine would have a unique Endorsement Key installed at the factory. However, the SGX documentation clearly states that remote attestation uses group keys for privacy, so the customer wouldn't be able to tell whether the two remote attestations were signed by different hardware.

Suppose I already established a secure enclave on each machine.

Would it be possible to read the EK public key (or its hash) from within the enclave, put that in the data section of the quote, and then send a remote attestation with that? Then the remote attestation would prove that the target machine ran the code as given, and since the code reads and returns the EK we'd have the EK too.

This related question suggests that just using the TPM doesn't work (indeed it doesn't), but leaves me wondering whether we may be able to use SGX to finish the job.

So my questions are:

1) Would the above actually work?

2) If yes, can you help me find convincing documentation that confirms this is possible?

3) If not, is there something else I can do?

fishingpole
  • 43
  • 5

2 Answers2

2

First, let's not mix up the terms here. SGX remote attestation is not the same thing as TPM-based attestation (using the Quote command); so I'm not sure how you think the TPM's EK enters into it. But I don't know that much about SGX, so sticking with the TPM:

If you can obtain two quotes signed with two attestation keys for which you hold certificates signed by the TPM manufacturer, that alone proves that you're talking with two different machines. That is to say you can fake a TPM in software but you can't fake a certificate. If you don't have the AK certificate, you can take the public key from the EK certificate and make the TPM prove it has access to the corresponding private key, for example MakeCredential followed by ActivateCredential. TPM manufacturers do provide EK certificates, at least the ones I've looked at.

mnistic
  • 10,866
  • 2
  • 19
  • 33
0

You can potentially also use SGX's key derivation mechanism to check whether you are executing on the same host as long as you have some control over the used enclaves.

SGX's key derivation deterministically provides cryptographic keys to enclaves that are either bound to the enclave id or the signer id. That means that two enclaves that are signed with the same signer key can obtain the same key iff they're executed on the same platform (host).

Note: This of course only works if the key derivation is not influenced by virtualization, which, to the best of my knowledge, is the case, though I did't test it.

fzgregor
  • 1,807
  • 14
  • 20