Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
61 Views

Is it possible to revoke some enclave's permission to execute?

Jump to solution

The developer may be want to prevent old version enclaves executing. However the old enclaves together with old SIGSTRUCT and TOKEN  have been delivered.

0 Kudos

Accepted Solutions
Highlighted
61 Views

Quote:gu j. wrote:

Jump to solution

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

View solution in original post

0 Kudos
3 Replies
Highlighted
61 Views

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-servic....

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

0 Kudos
Highlighted
Beginner
61 Views

Quote:Alexander B. (Intel)

Jump to solution

Alexander B. (Intel) wrote:

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-servic....

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

[/quote]

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Thanks! 

0 Kudos
Highlighted
62 Views

Quote:gu j. wrote:

Jump to solution

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

View solution in original post

0 Kudos