Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Limitations of the Development Attestation Service for Intel SGX

Adrian_D_
Beginner
552 Views

Hi,

I couldn't find any information about the limitations of the Development Attestation Service for Intel SGX compared to the Production Attestation Service for Intel SGX. The licensee guide only states that the production version is intended for "business-relevant traffic". But what are the security implications of using the Development Attestation Service for verification of production-mode enclaves? Is this even possible or would the service reject the request? And does the development version perform an actual verification of the EPID signature?

Regards

Adrian

0 Kudos
5 Replies
Rodolfo_S_
New Contributor III
552 Views

Hi, Adrian.

To the best of my knowledge, there is no difference on the functionalities of the Development and the Production Attestation Services. The only difference between them is that the Production one will only accept registered certificates that meet all the requirements described here while the Development one will accept registered self-signed certificates.

The development attestation service does verify the EPID signature.

Best regards,

Rodolfo

0 Kudos
Adrian_D_
Beginner
552 Views

Hi Rodolfo,

thanks for the quick reply. Are you associated with Intel? I assume that you are not, because your username does not end with "(Intel)". If so, I still appreciate your answer, but I hope that someone from Intel can confirm this, because I would like to know for sure whether Development Attestation Service can be used with production enclaves without security implications.

Regards

Adrian

0 Kudos
Adrian_D_
Beginner
552 Views

I'm still hoping to get an answer to this from an Intel employee.

0 Kudos
Anusha_K_Intel
Employee
552 Views

Hi,

Limitations while using debug enclave instead of production enclave:

The ATTRIBUTES field in the SECS is reported in the enclave's attestation, and is included in the key derivation for the enclave secrets that were protected by the enclave using Intel SGX keys when it ran as a production enclave will not be accessible by the debug enclave. A debugger needs to be aware that special debug content might be required for a debug enclave to run in a meaningful way.

EPC memory belonging to a debug enclave can be accessed via the EDBGRD/EDBGWR leaf functions, while that belonging to a non-debug enclave cannot be accessed by these leaf functions.

And the one's mentioned by Rodolfo.

 

 

 

0 Kudos
Adrian_D_
Beginner
552 Views

Hi Anusha,

thanks for your reply. You explained limitations of debug enclaves. My questions were not about debug enclaves but production enclaves in combination with the Development Attestation Service. Let me restate my questions:

1. Is it possible to verify production enclaves with the Development Attestation Service instead of the Production Attestation Service?

2. If the answer to 1. is yes, are there any security implications?

3. If the answer to 2. is no, what is the difference between the Development and Production Attestation Services?

Regards

Adrian

 

0 Kudos
Reply