topic Hi: in Intel® Software Guard Extensions (Intel® SGX)

Local Attestation for Platform Security

bergmann__Tina — Mon, 15 Jan 2018 09:13:07 GMT

Hi All,

I am just a beginner using this technology. I was reading up the documentation to understand.

Can we somehow ensure that a self-attested Application using Local Attestation to prove the integrity and confidentiality of an Application Enclave or is remote attestation indispensible and the only way to prove an App is secure? I am assuming even if OS, Hypervisor etc. are all untrusted, the Intel PSW is a trusted software and therefore using Quoting Enclave is it not possible to self attest an Application Enclave for its integrity?

Also, if the MRENCLAVE measurement of the Application is taken newly everytime the Application is loaded, and if no "known hash" exists to compare with , how can we be assured that it has not been "re-written" and "re-signed"?

Thanks for clarification.

-Tina

Hi:

you_w_ — Tue, 16 Jan 2018 02:41:48 GMT

Hi:

To prove the App's security,Remote attestation is needed. The Quoting Enclave is used to change "SGX report" to "SGX quote". In that process it uses the EPID algorithm for generating a signature. In remote attestation process, we check a lot of things, like MrEnclave, MrSigner, isv_SVN and so on to make sure that, the enclave is the right enclave, and the platform satisfies the security requirement. We can use remote attestation to check one of applications, and then use the enclave local attest others.

Launching Enclave will check the integrity of an Enclave when it launching. When we sign an Enclave, the signer will write MrENCLAVE and MrSigner in Enclave metadata. Launching Enclave will take the value in metadata for comparison.

Regards

you

Thanks for the reply. Also,

bergmann__Tina — Tue, 16 Jan 2018 10:21:42 GMT

Thanks for the reply. Also, is remote attestation a prerequisite for every running Enclave to be sure it is secure?

I mean can an enclave that is launched proceed doing any "operations" it is supposed to do within the system? Or will the SGX PSW wait until it is remotely attested to proceed?

Regarding the Launch Enclave, is this the Enclave that "locally" attests an Enclave?Also if each Enclave is launched on the platform and its integrity checked, what is then the need for intra-enclave attestation(Local attestation using a Report as described by local attestation)

Thanks,

Tina

Hi :

you_w_ — Fri, 19 Jan 2018 07:05:20 GMT

Hi :

The Local Attestation is used for share secret or make ecalls across different enclaves. Only by verified the identity of other enclaves, can a enclave get it's trust. "each Enclave is launched on the platform and its integrity checked" ------This only make sure that the Enclave is not modified after signed. I mean that If I write an Enclave and run it on the platform, It should not have the ability to make ecall to your enclave.

Regards

You