Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Query about CPUSVN (and remote attestation)

AAhma10
Novice
276 Views

Hey,
 

I am inquiring about the CPUSVN number that is provided as part of the remote attestation digest of an enclave. In particular, I wanted to know if this number is unique for every processor or two different processors (with similar microcode update versions) can have the same CPUSVN?

For example, if I have two processors of the same model, with the same microcode update and running the exact same enclave, can I differentiate between their remote attestation digests, just by looking at the CPUSVN? I am assuming that they will be signed by two different attestation keys but only Intel can verify the attestation keys, and presumably differentiate between them. Is such a feat  possible for the enclave developer.

Thanks!

Adil

0 Kudos
1 Reply
JesusG_Intel
Moderator
276 Views

Hello Adil,

The CPUSVN cannot be used to differentiate between processors since processors of the same Family-Model-Stepping-PlatformID can have the same CPUSVN. 

You have a few options to differentiate, depending on the use case. You could generate a random/unique identifier (ie. GUID) and put it in the report_data field of the report_body before sending up to the relying party which would store it to differentiate, or the relying party could provision something similar down to the enclave after successful attestation and a secure channel is set up.

I hope this helps.

Regards,

Jesus

Intel Customer Support

Reply