Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
64 Views

Do we need to subscribe to perform remote attestation?

Jump to solution

Hi!

I read from the announcement on this board that subscription is needed to use the remote access (EPID) service. Am I understand it correctly?

After subscribing to DEV Intel® Software Guard Extensions Attestation Service (Linkable) using my account, I have successfully received a primary key and a secondary key and a SPID. Could you tell me how can I incorporate those two keys and SPID in remote attestation?

From SampleCode in sgx_sdk, remote attestation is like replacing local attestation's EREPORT MAC with a signature signed by the attestation key, which is obtained from Intel through the provisioning enclave. In sgx_sdk, EPID key provisioning service seems to be hidden in sgx_ra_get_msg1 function... Could you help me figure out how to incorporate this subscription into remote attestation?

 

Thank you so much!

0 Kudos

Accepted Solutions
Highlighted
Employee
64 Views

Hello.

Please refer to the more complete, full end-to-end remote attestation article and sample code at the links below.  This sample has been updated to use the subscription based APIs.

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attesta...

https://github.com/intel/sgx-ra-sample

Regards.

Scott

View solution in original post

0 Kudos
4 Replies
Highlighted
Employee
65 Views

Hello.

Please refer to the more complete, full end-to-end remote attestation article and sample code at the links below.  This sample has been updated to use the subscription based APIs.

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attesta...

https://github.com/intel/sgx-ra-sample

Regards.

Scott

View solution in original post

0 Kudos
Highlighted
Beginner
64 Views

Hi, Scott!

 

Thank you for your reply!

Following three points are my understanding of the Attestation Service based on your reply. Could you help me take a look at them to see if they are correct?

[1] The Intel Attestation Service (IAS) is only needed on the server(Service Provider) side. The Service Provider ID I obtained from registration is used to (1) obtain the Signature Revocation List through GetSigRL and (2) verify a quote through VerifyQuote.

[2] The simplified RemoteAttestation example in SampleCode just uses a simulated service provider, which does not communicate with Intel, such that this example doesn't require a registration to IAS.

[3] IAS is not required on the Enclave's side (i.e. ISV side). On the Enclave side, EPID key provisioning is implemented by sgx_ra_get_msg1 function.

 

Thanks a lot!

 

 

0 Kudos
Highlighted
Employee
64 Views

Hello Yi.

You are correct in all 3 of your statements, but a couple of comments...

#2 - This is true, but just to be clear, because it doesn't truly talk to IAS, it can't truly verify the validity of an enclave/platform/TCB.

#3 - Just FYI, EPID provisioning is buried a little deeper than just that function, but yes, EPID provisioning is kicked off automatically if it hasn't happened yet.

Regards.

Scott

0 Kudos
Highlighted
Beginner
64 Views

Perfect! Thank you so much!

0 Kudos