Problems in understanding DCAP

Golsch__Lennard — Fri, 24 Apr 2020 15:33:37 GMT

Hello, I have already read the documentation and looked at the sample code, but I still have basic understanding problems with DCAP. I do not quite understand the interaction or the extension by PCE.

Every platform has a PCK private key. With various information you can get a suitable certificate with chain and CRLs from the Provisioning Certification Service. I know that the PCE signs the QE with the PCK private key and that the signature can be verified later with the chain and the certificate.

So far so good. To what extent do QE and PCE work together to create a Quote? How which information is written to the Quote, which is later necessary for verification? What about original Attestation Key?

I quote from the API documentation [0]:

For Intel® SGX DCAP, the QE will generate the ECDSA Attestation Key (AK) and include a hash of the AK in the QE.REPORT.ReportData

Why?

This PCE certification data will ultimately be embedded in the ECDSA Quote generated by the QE.

Which "PCE certification data"?

The AK is then used to signed application enclave Reports to prove that the enclave is running with Intel® SGX protections at a given TCB. This is called the ECDSA Quote. The Attestation infrastructure owner can verify the ECDSA attestation key using the PCK Certificate

What is the connection between AK and PCK-Cert?

[0] https://download.01.org/intel-sgx/dcap-1.0/docs/SGX_ECDSA_QuoteGenReference_DCAP_API_Linux_1.0.pdf

Hello Klei, the SGX Explained

JesusG_Intel — Tue, 28 Apr 2020 01:05:00 GMT

Hello Lennard, the SGX Explained document has a thorough explanation of this process in section 5.8 and its subsections. I highly recommend you read it.

Regards,
Jesus

topic Problems in understanding DCAP in Intel® Software Guard Extensions (Intel® SGX)

Problems in understanding DCAP

Hello Klei, the SGX Explained