I am implementing an enclave to create and store secrets.For high availability reasons i need to replicate the secrets by deploying same enclave in different machines. To securely transfer the secrets to enclave in different machine how can i make use of remote attestation here?
from remote attestation sample page https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example :
Using the Remote Attestation flow, a client's enclave can attest to a remote entity that it is trusted, and establish an authenticated communication channel with that entity. As part of attestation, the client's enclave proves the following:
- Its identity
- That it has not been tampered with
- That it is running on a genuine platform with Intel SGX enabled
- That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level
At that point, the remote server can safely provision secrets to the enclave.
My understanding of what you are saying is that when your new enclave(NE) wants to get secrets from your enclave with secrets(SE).
So in your case both NE and SE should attest to each other.
NE wants do get secrets from SE. SE should attest to NE, if SE is ok NE sends request for secrets. Then NE should attest to SE. If NE is ok, then SE can share its secrets with NE.
https://github.com/intel/sgx-ra-sample ; - here you can find source code for remote attestation sample. It's server client architecture, but I think it should help you with your implementation.
HI @Marcinkowski, Wojciech, thanks for you reply!
I found a way to do it without complete RemoteAttestation flow.Solution is using sgx_report_data_ field in sgx_report_t.
My NE will generate report with a temp ecc256 publickey included as report_data and quote will be generated using the report and quote will be send to my SE. SE will verify the quote by contacting IAS and if it is valid quote then secrets will be shared using that temp pubkey!
Above solution is somewhat similar to Sawtooth POET verification procedure.