Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
71 Views

Intel SGX usage for Certificate Signing Request (CSR) and CMPv2

Jump to solution

Hi Team,

I want to run CMPv2 enrolment scenario for Container application.

It is not clear for me if the following is possible. 

1) The Application container has an SGX enclave created in which the RSA/ESDSA key pair is generated

2) CSR is generated using the key

3) the CSR is attested with the private key of PCK

4) the ROOT cert of PCK is loaded in the CA Server

5) CA server generates the Certificate after validating the CMPV2 IR which is signed by the PCK private key.

Please let me know if such framework is already supported.

 

Thanks

 

Samuel

0 Kudos

Accepted Solutions
Highlighted
Moderator
45 Views

Hello Samueljeyaraj,


Yes, this scenario is possible with Intel SGX enclaves. If you want to ensure that your enclave can be trusted by the CA server, then you need to implement remote attestation of your enclave. You have quite a bit of reading to do...


SGX Remote Attestation Links:

1. ECDSA Remote Attestation/Data Center Attestation Primitives (DCAP) Info:

a.                  https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation

b.                  https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf

c.                  https://software.intel.com/sites/default/files/managed/f1/b8/intel-sgx-support-for-third-party-attes...

d.                  https://arxiv.org/ftp/arxiv/papers/1801/1801.05863.pdf

e.                  https://download.01.org/intel-sgx/latest/dcap-latest/

f.                   https://github.com/intel/SGXDataCenterAttestationPrimitives

2. SGX Remote Attestation API portal: https://api.portal.trustedservices.intel.com/


You can view this issue for a good example of how to generate public/private key pairs using SGX. Note that the code has a small error which is fixed with:


“When you encrypt the message using sgx_rsa_pub_encrypt_sha256 and you send the size of the input in the last parameter, you are using sizeof(pin_data). In your code, pin_data is a "char *" so the size of "char *" is 8 bytes. For this parameter, you have to send the size of the input itself. In this case, you can use strlen(pin_data) instead of sizeof(pin_data).”


For more information on the relevant APIs, please read the Intel SGX Developer Reference Guide for Windows or Linux.


Jesus Garcia, Intel Customer Support

View solution in original post

0 Kudos
3 Replies
Highlighted
Moderator
46 Views

Hello Samueljeyaraj,


Yes, this scenario is possible with Intel SGX enclaves. If you want to ensure that your enclave can be trusted by the CA server, then you need to implement remote attestation of your enclave. You have quite a bit of reading to do...


SGX Remote Attestation Links:

1. ECDSA Remote Attestation/Data Center Attestation Primitives (DCAP) Info:

a.                  https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation

b.                  https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf

c.                  https://software.intel.com/sites/default/files/managed/f1/b8/intel-sgx-support-for-third-party-attes...

d.                  https://arxiv.org/ftp/arxiv/papers/1801/1801.05863.pdf

e.                  https://download.01.org/intel-sgx/latest/dcap-latest/

f.                   https://github.com/intel/SGXDataCenterAttestationPrimitives

2. SGX Remote Attestation API portal: https://api.portal.trustedservices.intel.com/


You can view this issue for a good example of how to generate public/private key pairs using SGX. Note that the code has a small error which is fixed with:


“When you encrypt the message using sgx_rsa_pub_encrypt_sha256 and you send the size of the input in the last parameter, you are using sizeof(pin_data). In your code, pin_data is a "char *" so the size of "char *" is 8 bytes. For this parameter, you have to send the size of the input itself. In this case, you can use strlen(pin_data) instead of sizeof(pin_data).”


For more information on the relevant APIs, please read the Intel SGX Developer Reference Guide for Windows or Linux.


Jesus Garcia, Intel Customer Support

View solution in original post

0 Kudos
Highlighted
Beginner
37 Views

Hello Jesus Garcia,

Thank you. I will go through the links and try a PoC and get back to you for guidance if needed. Thanks a lot for the information.

 

Samuel

 

0 Kudos
Highlighted
Moderator
25 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


Jesus Garcia, Intel Customer Support
0 Kudos