I am inquiring about the CPUSVN number that is provided as part of the remote attestation digest of an enclave. In particular, I wanted to know if this number is unique for every processor or two different processors (with similar microcode update versions) can have the same CPUSVN?
For example, if I have two processors of the same model, with the same microcode update and running the exact same enclave, can I differentiate between their remote attestation digests, just by looking at the CPUSVN? I am assuming that they will be signed by two different attestation keys but only Intel can verify the attestation keys, and presumably differentiate between them. Is such a feat possible for the enclave developer.
The CPUSVN cannot be used to differentiate between processors since processors of the same Family-Model-Stepping-PlatformID can have the same CPUSVN.
You have a few options to differentiate, depending on the use case. You could generate a random/unique identifier (ie. GUID) and put it in the report_data field of the report_body before sending up to the relying party which would store it to differentiate, or the relying party could provision something similar down to the enclave after successful attestation and a secure channel is set up.
I hope this helps.
Intel Customer Support