Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Is it possible to revoke some enclave's permission to execute?

gu_j_1
Beginner
‎05-12-2016 08:11 PM
1,572 Views
Solved Jump to solution

The developer may be want to prevent old version enclaves executing. However the old enclaves together with old SIGSTRUCT and TOKEN  have been delivered.

0 Kudos
1 Solution
Alexander_B_Intel
Employee
‎05-18-2016 09:44 AM
1,572 Views
Solved Jump to solution

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
Alexander_B_Intel
Employee
‎05-17-2016 11:19 AM
1,572 Views
Solved Jump to solution

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services.

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

0 Kudos
Copy link
gu_j_1
Beginner
‎05-17-2016 06:01 PM
1,572 Views
Solved Jump to solution

Alexander B. (Intel) wrote:

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-services.

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

[/quote]

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Thanks! 

0 Kudos
Copy link
Alexander_B_Intel
Employee
‎05-18-2016 09:44 AM
1,573 Views
Solved Jump to solution

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.