- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I read from the announcement on this board that subscription is needed to use the remote access (EPID) service. Am I understand it correctly?
After subscribing to DEV Intel® Software Guard Extensions Attestation Service (Linkable) using my account, I have successfully received a primary key and a secondary key and a SPID. Could you tell me how can I incorporate those two keys and SPID in remote attestation?
From SampleCode in sgx_sdk, remote attestation is like replacing local attestation's EREPORT MAC with a signature signed by the attestation key, which is obtained from Intel through the provisioning enclave. In sgx_sdk, EPID key provisioning service seems to be hidden in sgx_ra_get_msg1 function... Could you help me figure out how to incorporate this subscription into remote attestation?
Thank you so much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Please refer to the more complete, full end-to-end remote attestation article and sample code at the links below. This sample has been updated to use the subscription based APIs.
https://github.com/intel/sgx-ra-sample
Regards.
Scott
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Please refer to the more complete, full end-to-end remote attestation article and sample code at the links below. This sample has been updated to use the subscription based APIs.
https://github.com/intel/sgx-ra-sample
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Scott!
Thank you for your reply!
Following three points are my understanding of the Attestation Service based on your reply. Could you help me take a look at them to see if they are correct?
[1] The Intel Attestation Service (IAS) is only needed on the server(Service Provider) side. The Service Provider ID I obtained from registration is used to (1) obtain the Signature Revocation List through GetSigRL and (2) verify a quote through VerifyQuote.
[2] The simplified RemoteAttestation example in SampleCode just uses a simulated service provider, which does not communicate with Intel, such that this example doesn't require a registration to IAS.
[3] IAS is not required on the Enclave's side (i.e. ISV side). On the Enclave side, EPID key provisioning is implemented by sgx_ra_get_msg1 function.
Thanks a lot!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Yi.
You are correct in all 3 of your statements, but a couple of comments...
#2 - This is true, but just to be clear, because it doesn't truly talk to IAS, it can't truly verify the validity of an enclave/platform/TCB.
#3 - Just FYI, EPID provisioning is buried a little deeper than just that function, but yes, EPID provisioning is kicked off automatically if it hasn't happened yet.
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect! Thank you so much!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page