Platform services enclave

vickey — Sun, 14 Mar 2021 12:14:49 GMT

Which parameter decides whether PSE(platform service enclave) will be used?and what is the implication of PSE.Why we needs to use it?. For parameter I mean sgx application enclave,sgx application itself,remote challenger,intel attestation service,or something else?

Re:Platform services enclave

JesusG_Intel — Mon, 15 Mar 2021 20:07:27 GMT

Hello vickey,

The Intel® Software Guard Extensions Remote Attestation End-to-End Example explains the purpose of the Platform Services Enclave (PSE):

"The PSE is an architectural enclave included in the Intel SGX software package that supplies services for trusted time and a monotonic counter. These can be used for replay protection during nonce generation and for securely calculating the length of time for which a secret should be valid."

The PSE is used mainly in two scenarios:

Remote Attestation - Refer to the section Remote Attestation and Protected Session Establishment in the Intel SGX Developer Reference Guide for Windows and to the Intel® Software Guard Extensions Remote Attestation End-to-End Example for details on the remote attestation flow. The ISV application, also known as the untrusted app, determines whether to use Platform Services by setting b_pse = 1 when it initiates the enclave. The enclave then passes b_pse to sgx_ra_init, which is used to generate the remote attestation context. When this variable is set, Msg3, from the client to the service provider, includes platform services information. Upon receiving Msg3, the payload that the service provider sends to the Intel Attestation Service will include a PSE Manifest and nonce.

Refer to Section 4.1 Attestation Evidence Payload of the SGX Attestation API Spec, for definitions of the PSE Manifest and Nonce.

A PSE session must be established in order to request platform service. The enclave implementation in the sgx-ra-sample shows how to use sgx_create_pse_session based on the value of b_pse.

2.Sealing Data - Refer to the section SealedData in the Intel SGX Developer Reference Guide for Windows for information on how the Monotonic Counter and Trusted Time Services, which are provided by the PSE, are used to protect enclave secrets that are stored outside of the enclave, such as on disk. For the implementation, refer to the SealedData sample in the Intel SGX SDK for Windows.

Note that enclaves running on server hardware do not have a Platform Services Enclave, and cannot utilize client specific features.

Support for Intel® Software Guard Extensions (Intel® SGX) Platform Services was removed from all Linux*-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.

The Intel SGX API for monotonic counters is still part of the Intel® Software Guard Extensions (Intel® SGX) SDK for Windows* and is supported on Windows® 10 platforms through the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed through Windows Update from the platform OEM.

Sincerely,

Jesus G.

Intel Customer Support

Re:Platform services enclave

JesusG_Intel — Fri, 19 Mar 2021 18:11:53 GMT

Hello Vickey,

Do you have any further questions regarding Platform Services?

Sincerely,

Jesus G.

Intel Customer Support

Re:Platform services enclave

JesusG_Intel — Tue, 23 Mar 2021 23:46:48 GMT

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

topic Re:Platform services enclave in Intel® Software Guard Extensions (Intel® SGX)

Platform services enclave

Re:Platform services enclave

Re:Platform services enclave

Re:Platform services enclave