Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Provide remote attestation to external user

David_B_1
Beginner
565 Views

Hello,

In case external users (other than the enclave developer who has signed the enclave with his private key)  need to share data with the application enclave, is it possible for these users to get a certified measurement  of the application enclave (e.g. from the quoting enclave) without the enclave developer being able to tamper with this measurement?

In other words, can the enclave developer prove to an external user that it is safe the share his data with the enclave?

Thanks, David

0 Kudos
6 Replies
AArya2
New Contributor I
565 Views
0 Kudos
David_B_1
Beginner
565 Views

Thanks Arya,

However, I don't think it answers my question. What I would like to know is if it is possible for an enclave to provide (with ISV's agreement) a remote attestation to an external user that is not the ISV (i.e. not the enclave developper who signed the enclave).

 

Maybe something like the figure below:

IAS_ExtUsr.png

0 Kudos
David_B_1
Beginner
565 Views

I will try to rephrase this: Can a user (other than the ISV who has the private signing key) obtain a remote attestation from (or with the help of) the ISV but without the ISV being able to tamper with this attestation?

 

0 Kudos
Rodolfo_S_
New Contributor III
565 Views

Hi, David.

This is absolutely possible. The private signing key is not needed in the process of producing a quote once the enclave application is already running. The quote is signed with the EPID key, and not with the private signing key.

Best regards,
Rodolfo

0 Kudos
David_B_1
Beginner
565 Views

Thanks Rodolfo, this was very helpful!

0 Kudos
yu_b_1
Beginner
565 Views

About this issue,I still have a question.

EPID (key) seems to prove the ISV identity。but how to prove the code run in the enclave is the one expected , by comparing the "MRENCLAVE" measurement value 

0 Kudos
Reply