Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1448 Discussions

How quote enclave verify application enclave's report?

hyunsoo
New Contributor I
825 Views

The white paper(https://software.intel.com/content/dam/develop/external/us/en/documents/hasp-2013-innovative-technology-for-attestation-and-sealing-413939.pdf) describes that attestation mechanism. I popped two questions from section 3.2.3

1. Quote enclave is black-box to programmer since there is no official document how quote enclave verifies the application enclave's report and also there is no source code. I'm guessing that the ability to verify the report provided by the application enclave requires the calculation of MAC over the application's enclave activity cryptographic logs which are already calculated by the application's enclave to check whether matches between provided one and calculated one itself in quote enclave. Could you unpack that how quote enclave verifies the application's report?

 

2. Remote attestation requires IAS to verify quote. I'm wondering that the exact job the IAS does. The integrity of the application's enclave is already checked by local quote enclave. I think that IAS just chekcs the whether EPID exist in Intel's database. Is this all?

0 Kudos
1 Solution
JesusG_Intel
Moderator
796 Views

Hello Hyunsoo,


I am trying to provide you resources that answer your questions thoroughly and completely, even with diagrams. It seems to me that you like to understand SGX and remote attestation very deeply so I am giving you resources that get you there.


There is much documentation published that explains all of this so, from my perspective, it does not make sense to rewrite something that has been explained perfectly well elsewhere.


This forum is used primarily for technical support. If something isn't working, I can help you get it working. For long, technical answers about how things work, it is more effective to point you to pre-existing documentation.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
4 Replies
JesusG_Intel
Moderator
810 Views

Hello Hyunsoo,


This page is not from Intel but it does a good job of explaining Remote Attestation: http://www.sgx101.com/portfolio/remote_attestation/. It lists references at the bottom that may also be of interest to you.


The QE and other architectural enclaves are not a black-box. They are open-source. Here is the source code for the QE:


https://github.com/intel/linux-sgx/blob/master/psw/ae/qe/quoting_enclave.cpp.


You can explore the rest of the Github repo for the the code for the PSW and Linux driver.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
hyunsoo
New Contributor I
802 Views

I'm sorry, I didn't know whether the source code exists. Thanks for giving a reference, but you seem to avoid answering all key questions.

0 Kudos
JesusG_Intel
Moderator
797 Views

Hello Hyunsoo,


I am trying to provide you resources that answer your questions thoroughly and completely, even with diagrams. It seems to me that you like to understand SGX and remote attestation very deeply so I am giving you resources that get you there.


There is much documentation published that explains all of this so, from my perspective, it does not make sense to rewrite something that has been explained perfectly well elsewhere.


This forum is used primarily for technical support. If something isn't working, I can help you get it working. For long, technical answers about how things work, it is more effective to point you to pre-existing documentation.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
778 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply