topic Re:Retrieve attesation key certificate in Intel® Software Guard Extensions (Intel® SGX)

Retrieve attesation key certificate

ChrisCode — Tue, 16 May 2023 23:02:21 GMT

The Quoting Enclave (QE) generates an attestation key (AK), signed by the Provisioning Certification Enclave (PCE), which is then used to sign the report and the ECDSA quote.

How do you get the AK certificate from outside the QE to verify the certificate chain up to the Intel root CA certificate? I am trying to build a report verification system in golang.

Thanks for your help!

Re:Retrieve attesation key certificate

Zulkifli_Intel — Wed, 17 May 2023 16:56:18 GMT

Hello ChrisCode,

Thank you for reaching out to us.

I'm looking into this matter and have an answer for you as soon as possible.

Sincerely,

Zulkifli

Re: Retrieve attesation key certificate

Zulkifli_Intel — Thu, 18 May 2023 21:03:46 GMT

Hi ChrisCode,

The Quote Enclave (QE) generates a unique asymmetric Attestation Key (AK). The QE provides the Provisioning Certification Enclave (PCE) with the attestation public key.

Since QE receives REPORTs from other enclaves, verifies them, and signs with the AK before returning the results, therefore AK may not be obtained from outside of the QE.

Here are some of the reasons why the AK may not be obtained from outside of the QE. The first reason is that the AK is stored in a secure enclave in memory, which is a protected area of memory that is inaccessible to the rest of the system, in order to prevent unauthorized access.

Another reason is that the AK is encrypted using a memory encryption key and it's not accessible. This encryption prevents an attacker from simply reading the AK from memory.

Sincerely,

Zulkifli

Re: Retrieve attesation key certificate

ChrisCode — Fri, 19 May 2023 16:30:17 GMT

Thanks for you answer. Of course the private part of the attestation key must stay in the enclave. But this was not my question.

I currently still don't understand how to verify the authenticity of the ECDSA attestation public key, that we receive as part of the quote. (Page 65, Table 4). In this paper it says: "The PCE authenticates the request and issues a certificate-like structure identifying the QE and the Attestation Key (3)." (section 3.1) Thats why I thought there is also a certificate for the AK.

AMD SEV(-SNP) for example signs the reports with the Versioned Chip endorsement key (VCEK) and one can verify the VCEK simply with its corresponding certificate.

Or is it meant the following way:

As stated in the documentation, we trust the QE, since it is an "Intel signed enclave that is trusted by the attestation infrastructure".

I looked at the DCAP quote verification library and the verification function takes additional quote collateral data (struct sgx_ql_qve_collateral_t), which contains data that is necessary to verify the quote, like QE identity structure.

So, by verifying the signature of this QE identity structure we can verify the QE. Does this now mean, that we can trust the AKs generated by the QE, which are used to sign the attestation reports? And we don't need to verify the AK public key in the quote?

Re:Retrieve attesation key certificate

Zulkifli_Intel — Sat, 20 May 2023 00:01:22 GMT

Hi ChrisCode

In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.

For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.

For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.

The Intel DCAP Product Brief explains how all these pieces fit together.

Sincerely,

Zulkifli

Re:Retrieve attesation key certificate

Zulkifli_Intel — Mon, 22 May 2023 15:08:24 GMT

This thread will no longer be monitored since this issue has been resolved. If you need any additional information from Intel, please submit a new question.