SGX remote attestation procedure (variations: with and without the participation of the remote Intel service, the explanation / logic of the work is step by step.
Asked
Active
Viewed 1,909 times
1 Answers
2
Sadly, remote attestation is not possible without the Intel Attestation Service, which I'll call IAS from now on. Also, the party that's want to verify a quote needs to be registered as service provider (short SP) to the IAS. I'll now start with a high level overview of the typical of the remote attestation procedure:
- The enclave connects to the SP and sends it's attestation group id.
- The SP fetches a list with revoked clients, also known as SigRL, from the IAS and sends it to the client.
- The client creates a quote using the SigRL.
- The SP forwards the quote to the IAS which responds whether the quote is valid
On a lower level, the client will have to establish communication between the quoting enclave (short QE) which is provided by Intel and the enclave that want to remotely attest something, which usually is done using the AESM-service (which is part of the platform software).
Also, the quoting mechanism allows you to remotely attest some data which you should use since it makes the remote attestation proof that this particular data was generated in an enclave which enables trusted protocols. There is an extensive examle which does a key-exchange on Intels Devzone.
VincBreaker
- 178
- 1
- 9
-
Thanks, now this topic has become a bit clearer. – zenbooster Mar 24 '19 at 21:03
-
5Actually, it's possible for Intel SGX2 to perform remote attestation without IAS: "ECDSA-based attestation allows providers to build and deliver their own attestation service instead of using the remote attestation service provided by Intel" https://software.intel.com/en-us/sgx/attestation-services – proslaniec Dec 10 '19 at 08:56