Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1310 Discussions

Is it possible to revoke some enclave's permission to execute?

gu_j_1
Beginner
738 Views

The developer may be want to prevent old version enclaves executing. However the old enclaves together with old SIGSTRUCT and TOKEN  have been delivered.

0 Kudos
1 Solution
Alexander_B_Intel
738 Views

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

View solution in original post

3 Replies
Alexander_B_Intel
738 Views

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-servic....

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

gu_j_1
Beginner
738 Views

Alexander B. (Intel) wrote:

Hi Gu,

Is your application using Remote Attestation? If so, you can revoke an enclave's ability to attest via several methods.The Service Provider can update the ISVSVN or ISVPRODID and subsequently fail attestation requests. The ISV can also ask to place the signature on the Signature Revocation List (SigRL). Please refer to the following article for more information: https://software.intel.com/en-us/blogs/2016/03/09/intel-sgx-epid-provisioning-and-attestation-servic....

If your application is not using attestation, there is no way to prevent the enclave from executing without changing the underlying Trusted Compute Base on the local platform.

[/quote]

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Thanks! 

Alexander_B_Intel
739 Views

gu j. wrote:

Does the attestation usually take place at the launch time of enclave? If so, does it mean remote entity cannot stop the execution of old version enclaves which have already run?

Attestation can happen at any time when an enclave asks the remote entity to provision secrets to it. The remote entity cannot stop the execution of the enclave, but it can fail the enclave attestation and refuse to provision it with any new secrets.

Reply