Hi, suppose there are two enclaves Ea and Eb on two different machines, and Ea has a secret. Eb wants to retrieve this secret from Ea. I wonder if remote attestation can directly ensure that both enclaves can verify that the other enclave is genuine.
I actually found several similar questions on the forum, but I get confused because the answers are not consistent. For example, the following answers claim that it is not possible.
While the following claim that it is possible.
So, my question is, whether it is indeed possible for mutual remote attestation between two remote enclaves? If so, is it simply do remote attestation twice (one acts as an attester and the other acts as a challenger) or what is the proper and secure way to do so? I do found another solution (https://github.com/cloud-security-research/sgx-ra-tls) could do mutual remote attestation but that is based on a different framework and workflow. What I concern is the classic remote attestation process, as presented in https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example.
Any advice would be highly appreciated.
Thanks and best regards,
- General Support
It is indeed possible for two remote enclaves to attest each other as described in the latter two posts you linked. It seems that post 852293 has the most detailed advice on how to achieve this. However, your scenario is probably different and you will need to adjust accordingly.