Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Intel SGX usage for Certificate Signing Request (CSR) and CMPv2

Samueljeyaraj
Novice
‎09-14-2020 05:35 AM
1,259 Views
Solved Jump to solution

Hi Team,

I want to run CMPv2 enrolment scenario for Container application.

It is not clear for me if the following is possible. 

1) The Application container has an SGX enclave created in which the RSA/ESDSA key pair is generated

2) CSR is generated using the key

3) the CSR is attested with the private key of PCK

4) the ROOT cert of PCK is loaded in the CA Server

5) CA server generates the Certificate after validating the CMPV2 IR which is signed by the PCK private key.

Please let me know if such framework is already supported.

 

Thanks

 

Samuel

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎09-14-2020 02:34 PM
1,233 Views
Solved Jump to solution

Hello Samueljeyaraj,


Yes, this scenario is possible with Intel SGX enclaves. If you want to ensure that your enclave can be trusted by the CA server, then you need to implement remote attestation of your enclave. You have quite a bit of reading to do...


SGX Remote Attestation Links:

1. ECDSA Remote Attestation/Data Center Attestation Primitives (DCAP) Info:

a.                  https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation

b.                  https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf

c.                  https://software.intel.com/sites/default/files/managed/f1/b8/intel-sgx-support-for-third-party-attestation.pdf

d.                  https://arxiv.org/ftp/arxiv/papers/1801/1801.05863.pdf

e.                  https://download.01.org/intel-sgx/latest/dcap-latest/

f.                   https://github.com/intel/SGXDataCenterAttestationPrimitives

2. SGX Remote Attestation API portal: https://api.portal.trustedservices.intel.com/


You can view this issue for a good example of how to generate public/private key pairs using SGX. Note that the code has a small error which is fixed with:


“When you encrypt the message using sgx_rsa_pub_encrypt_sha256 and you send the size of the input in the last parameter, you are using sizeof(pin_data). In your code, pin_data is a "char *" so the size of "char *" is 8 bytes. For this parameter, you have to send the size of the input itself. In this case, you can use strlen(pin_data) instead of sizeof(pin_data).”


For more information on the relevant APIs, please read the Intel SGX Developer Reference Guide for Windows or Linux.


View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎09-14-2020 02:34 PM
1,234 Views
Solved Jump to solution

Hello Samueljeyaraj,


Yes, this scenario is possible with Intel SGX enclaves. If you want to ensure that your enclave can be trusted by the CA server, then you need to implement remote attestation of your enclave. You have quite a bit of reading to do...


SGX Remote Attestation Links:

1. ECDSA Remote Attestation/Data Center Attestation Primitives (DCAP) Info:

a.                  https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation

b.                  https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf

c.                  https://software.intel.com/sites/default/files/managed/f1/b8/intel-sgx-support-for-third-party-attestation.pdf

d.                  https://arxiv.org/ftp/arxiv/papers/1801/1801.05863.pdf

e.                  https://download.01.org/intel-sgx/latest/dcap-latest/

f.                   https://github.com/intel/SGXDataCenterAttestationPrimitives

2. SGX Remote Attestation API portal: https://api.portal.trustedservices.intel.com/


You can view this issue for a good example of how to generate public/private key pairs using SGX. Note that the code has a small error which is fixed with:


“When you encrypt the message using sgx_rsa_pub_encrypt_sha256 and you send the size of the input in the last parameter, you are using sizeof(pin_data). In your code, pin_data is a "char *" so the size of "char *" is 8 bytes. For this parameter, you have to send the size of the input itself. In this case, you can use strlen(pin_data) instead of sizeof(pin_data).”


For more information on the relevant APIs, please read the Intel SGX Developer Reference Guide for Windows or Linux.


0 Kudos
Copy link
Samueljeyaraj
Novice
‎09-14-2020 08:44 PM
1,225 Views
Solved Jump to solution
In response to JesusG_Intel

Hello Jesus Garcia,

Thank you. I will go through the links and try a PoC and get back to you for guidance if needed. Thanks a lot for the information.

 

Samuel

 

In response to JesusG_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎09-15-2020 09:59 AM
1,213 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.