Can I include some data in the quote to be signed?

Nappa__Antonio · ‎03-29-2019

Hello everyone!

I would like to add some data to the quote to get it attested within the enclave, would it be possible?

Thanks

-jeppo

Michalevsky__Yan · ‎03-29-2019

Hi Antonio.

You can include 64 bytes in custom data as part of the attestation quote. While that sounds like not too much, that's all you'll actually need to attest to anything you want, since that is exactly the size of a SHA-512 hash (you can also use only 32 bytes if you're using SHA-256 which is still an acceptable industry standard).

The collision resistance property of the cryptographic hash function guarantees that whatever you send along the quote out-of-band is attested to by an authentic SGX enclave.

Hope this explanation makes sense.

Dr__Greg · ‎03-30-2019

Good evening Antonio, I hope this post finds your weekend going well.

The ENCLU[EREPORT] instruction that generates an enclave attestation quote/report, accepts as an argument, a pointer to a 64 byte buffer. The contents of this buffer gets copied into the report_data element of the sgx_report_body_t structure that is generated by the EREPORT instruction. A Message Authentication Code (MAC), based on the derived report key for the enclave, is generated over the entire sgx_report_ body_t structure. The MAC 'binds' the 64 bytes of report data to the enclave identity characteristics.

The 64 byte data buffer is free form data and you can supply any information in that buffer that you would like to have identified as being in the possession and protection envelope of the enclave when the report/quote was generated. You can thus use this buffer to convey whatever information you would like to a verifying party.

I will expand on this a bit more in a reply to your other post.

Dr. Greg