https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1387461#M5304 <P>Hello Daniel,</P><P><BR /></P><P>I hope the information on SigRL that I provided to you answers your question.</P><P><BR /></P><P>I will close this thread now and Intel will no longer monitor it. Please start a new thread if you need further help.</P><P><BR /></P><P>Sincerely,</P><P>Jesus G.</P><P>Intel Customer Support</P><BR /> Wed, 25 May 2022 19:09:55 GMT JesusG_Intel 2022-05-25T19:09:55Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1382058#M5258 <P>During remote attestation the Service Provider, SP, has to query IAS for two things:</P> <OL class="lia-list-style-type-lower-roman"> <LI>Get SigRL(gid)</LI> <LI>Get Report(quote)</LI> </OL> <P>In the function <STRONG>sgx_get_quote</STRONG> the <STRONG>p_sig_rl</STRONG> argument can be NULL.</P> <P>The SigRL returned by IAS is not signed (by IAS), meaning it could have been modified before we use it in <STRONG>sgx_get_quote</STRONG>.</P> <P>I'm assuming that if we ignore the first IAS query that IAS still knows whether the processor is legitimate, up to date, and not blacklisted.</P> <P>&nbsp;</P> <OL> <LI>Is it safe to ignore the first IAS query, i.e. not do <EM>Get SigRL</EM> but only do get <EM>Get Report</EM>, using a NULL <STRONG>p_sig_rl</STRONG>? Will remote attestation still work correctly?</LI> <LI>If we can invoke <EM>Get Report</EM> directly without the SigRL, then what is the point of doing the extra step <EM>Get SigRL</EM>?</LI> </OL> Thu, 05 May 2022 15:04:33 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1382058#M5258 Daniel_ˢᵍˣ 2022-05-05T15:04:33Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1382941#M5272 <P>Hello Daniel,</P><P><BR /></P><P>You mention good points. We are checking with our internal resources and will update you as soon as we have a response.</P><P><BR /></P><P>Sincerely,</P><P>Jesus G.</P><P>Intel Customer Support</P><BR /> Mon, 09 May 2022 18:33:50 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1382941#M5272 JesusG_Intel 2022-05-09T18:33:50Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1385740#M5299 <P>Hello Daniel, I finally have an answer for you. You must always get the SigRL from IAS. If the SigRL gets tampered with in any way, the platform, whether it's valid or not, will fail attestation because the IAS will know that the platfrom's report does not contain the appropriate SigRL.</P><P><BR /></P><P><SPAN style="font-size: 10pt;">An EPID group can have valid platforms and revoked/invalid platforms. The SigRL contains signatures of revoked platforms in an EPID group. If a valid platform signs it's quote with an empty SigRL and it is part of an EPID group that has revoked platforms in it (the SigRL is not supposed to be empty), then that valid platform will fail.</SPAN></P><P><SPAN style="font-size: 10pt;">&nbsp;</SPAN></P><P><SPAN style="font-size: 10pt;">An empty SigRL list exists only for EPID groups without any revoked platforms. You can send empty SigRLs only to platforms in clean EPID groups.</SPAN></P><P><BR /></P><P><SPAN style="font-size: 10pt;">Sincerely,</SPAN></P><P><SPAN style="font-size: 10pt;">Jesus G.</SPAN></P><P><SPAN style="font-size: 10pt;">Intel Customer Support</SPAN></P><BR /> Thu, 19 May 2022 19:56:41 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1385740#M5299 JesusG_Intel 2022-05-19T19:56:41Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1387461#M5304 <P>Hello Daniel,</P><P><BR /></P><P>I hope the information on SigRL that I provided to you answers your question.</P><P><BR /></P><P>I will close this thread now and Intel will no longer monitor it. Please start a new thread if you need further help.</P><P><BR /></P><P>Sincerely,</P><P>Jesus G.</P><P>Intel Customer Support</P><BR /> Wed, 25 May 2022 19:09:55 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1387461#M5304 JesusG_Intel 2022-05-25T19:09:55Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1388089#M5308 <P>Hello Jesus,</P> <P>Thank you, it does!</P> <P>Daniel</P> Fri, 27 May 2022 14:22:57 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/RA-Why-query-IAS-for-SigRL/m-p/1388089#M5308 Daniel_ˢᵍˣ 2022-05-27T14:22:57Z