1

How to prove that certain data is calculated(or generated) inside Enclave(Intel SGX)?

I tried to generate asymmetric key pair inside enclave(private key might be invisible to outside), and

then expose public key with evidence(i guess quote or remote attestation related things).

I got how remote attestation goes but, i cannot come up with applying remote attestation to verifying enclave-generated data.

Is this possible scenario with Intel SGX?

송제호
  • 45
  • 5

1 Answers1

2

You can prove the origin of the public key by placing it in the report_data field of a Quote generated during report attestation.

_quote_t.report_data can be used to attest arbitrary data:

The 64 byte data buffer is free form data and you can supply any information in that buffer that you would like to have identified as being in the possession and protection envelope of the enclave when the report/quote was generated. You can thus use this buffer to convey whatever information you would like to a verifying party. (Source)

The report_data field can be found by tracking the following structures:

sgx_key_exchange.h

typedef struct _ra_msg3_t {
    sgx_mac_t                mac
    sgx_ec256_public_t       g_a;
    sgx_ps_sec_prop_desc_t   ps_sec_prop;
    uint8_t                  quote[];    // <- Here!
} sgx_ra_msg3_t;

sgx_quote.h

typedef struct _quote_t
{
    uint16_t            version;        
    uint16_t            sign_type;      
    sgx_epid_group_id_t epid_group_id;  
    sgx_isv_svn_t       qe_svn;         
    sgx_isv_svn_t       pce_svn;        
    uint32_t            xeid;           
    sgx_basename_t      basename;       
    sgx_report_body_t   report_body;  // <- Here!  
    uint32_t            signature_len;
    uint8_t             signature[];    
} sgx_quote_t;

The Quote is part of the Msg3 (client-to-server) of remote attestation protocol. You can review the details of Msg3 creation in this official Code Sample and in the intel/sgx-ra-sample RA example.

In the latter, you can find out how the report is generated using sgx_create_report:

sgx_status_t get_report(sgx_report_t *report, sgx_target_info_t *target_info)
{
#ifdef SGX_HW_SIM
    return sgx_create_report(NULL, NULL, report);
#else
    return sgx_create_report(target_info, NULL, report);
#endif
}

In both cases, second argument sgx_report_data_t *report_data is NULL and can be replaced by pointer to arbitrary input. This is where you want to put your public key or any other data.

proslaniec
  • 398
  • 1
  • 2
  • 13
  • Though this is not related to the question, let me ask you one more question. I found that "MRENCLAVE uniquely identifies any particular enclave, so using the Enclave Identity will restrict access to the sealed data only to instances of that enclave. NOTE: Different builds/versions of an enclave will result in a different MRENCLAVE value." (https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing) Then how is remote attestation possible, if MRENCLAVE differs in every instance? I thought that MRENCLAVE is used for identifying execution code of target enclave source – 송제호 Dec 07 '19 at 18:29
  • 1
    The MRENCLAVE should be the same for every enclave instance. It should only change if the enclave source code changes. – proslaniec Dec 10 '19 at 08:47