Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Question about PCE and PCCS.

André_B
Beginner
‎05-18-2022 02:13 AM
637 Views
Solved Jump to solution

Hi,

 

been researching Intel SGX as a part of my master's thesis project. I would greatly appreciate some clarifications regarding the PCE and PCCS. The setup uses ECSDA-based attestation in a data-center like environment. It's helpful if I figure out to what extent the entire system can be offline. The PCCS has support for offline caching, with manual administration. Verification, from what I understand, is possible to do only with PCCS and helpful libraries. However, I'm uncertain about the PCE at first launch/deployment, and if it needs to consult Intel directly or not. Been difficult to find clear documentation about it.

Question. Can the PCE retrieve the attestation collateral directly from PCCS, rather from Intel directly?

If you can think of other obstacles to making the system offline that you think I've missed, please share them.

Thanks for your help! 

 

 

0 Kudos
1 Solution
Sahira_Intel
Moderator
‎05-18-2022 04:16 PM
617 Views
Solved Jump to solution

Hi,


Intel does provide a reference caching service for Intel SGX PCS. The CSP or datacenter is expected to modify the ref to work within their infrastructure. The main limitation is that it requires runtime access to the internet to acquire the PCK certificate from the SGX PCS - so it does not support APIs to retrieve PCK certificates at deployment time.


You will find more useful information on the DCAP Product Brief: https://www.intel.com/content/dam/develop/public/us/en/documents/intel-sgx-dcap-ecdsa-orientation.pdf


Sincerely,

Sahira R.


View solution in original post

Copy link

Link Copied

1 Reply
Sahira_Intel
Moderator
‎05-18-2022 04:16 PM
618 Views
Solved Jump to solution

Hi,


Intel does provide a reference caching service for Intel SGX PCS. The CSP or datacenter is expected to modify the ref to work within their infrastructure. The main limitation is that it requires runtime access to the internet to acquire the PCK certificate from the SGX PCS - so it does not support APIs to retrieve PCK certificates at deployment time.


You will find more useful information on the DCAP Product Brief: https://www.intel.com/content/dam/develop/public/us/en/documents/intel-sgx-dcap-ecdsa-orientation.pdf


Sincerely,

Sahira R.


Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.