- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
I want to communication between different enclaves. But I don't know how to do it. I have 3 problems to solve.
1. There are two enclaves: Enclave A and Enclave B. I want to let A transfer some data to B, but I don't know how to do it.
2. And if A and B are in different devices, what should I do.
3. I want to implement in my project the Intel SGX remote attestation mecanisme. this mecanisme requires the Service Provider and a IAS server. My problem is: what is exactly a Service Provider, is it an ordinary server in which we install an API or something else. How to configure this SP in order to implement remote attestation mecanisme.
Thank you for your help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Before collaborating, one enclave will have to authenticate the other locally using SGX report mechanism to verify it is running on the same TCB platform (local attestation). This will create a protected channel between the two local enclaves. Note that two enclaves can never communicate directly to each other, it is always done through the application. See Figure 9 for a diagram of how two enclaves communicate with each other through an application. It is also possible for two enclaves that exist on separate machines to transfer data between each other, but it is not as simple as when they are on one machine. A third party server, like a service provider, will be needed to create secure channels between the enclaves. For more information on local attestation, check out the SGX Developer Reference Guide.
You would use a regular service provider but when setting up remote attestation, the client asks the SP to provision secrets. It is a specific API endpoint that the SP implements for making such a request. The SP responds to the request by issuing a challenge requesting the client to attest itself. This document explains more about the communication sequence between client/server during remote attestation.
Hope this information was helpful
Sincerely,
Sahira
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Before collaborating, one enclave will have to authenticate the other locally using SGX report mechanism to verify it is running on the same TCB platform (local attestation). This will create a protected channel between the two local enclaves. Note that two enclaves can never communicate directly to each other, it is always done through the application. See Figure 9 for a diagram of how two enclaves communicate with each other through an application. It is also possible for two enclaves that exist on separate machines to transfer data between each other, but it is not as simple as when they are on one machine. A third party server, like a service provider, will be needed to create secure channels between the enclaves. For more information on local attestation, check out the SGX Developer Reference Guide.
You would use a regular service provider but when setting up remote attestation, the client asks the SP to provision secrets. It is a specific API endpoint that the SP implements for making such a request. The SP responds to the request by issuing a challenge requesting the client to attest itself. This document explains more about the communication sequence between client/server during remote attestation.
Hope this information was helpful
Sincerely,
Sahira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your reply.
I learned a lot of useful things, I plan to study the documentation you provided me by myself.
Thank you very much!
Sincerely,
Double
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After a period of study, I know that the SP can know if the client is reliable through IAS. But, I don't understand how the client can determine that the SP is a reliable service provider, not a malicious service provider.
Thanks a lot.
Sincerely,
Double
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page