- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Using Innovative Instructions to Create Trustworthy Software Solutions -
- In this paper, mentioned that we have a trusted channel between enclave and remote server. But if socket stuff is not allowed, how does an enclave communicate with the remote server?
- How does an enclave communicate with local enclaves? The manual said one need to pass REPORT to another in order to attest, but how is this done without system's help?
-Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam,
Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.
Thanks and Regards,
Surenthar Selvaraj
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sam,
Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.
Thanks and Regards,
Surenthar Selvaraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your detailed information
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page