Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

RA: Why query IAS for SigRL?

Daniel_ˢᵍˣ
New Contributor I
‎05-05-2022 08:04 AM
1,157 Views
Solved Jump to solution

During remote attestation the Service Provider, SP, has to query IAS for two things:

  1. Get SigRL(gid)
  2. Get Report(quote)

In the function sgx_get_quote the p_sig_rl argument can be NULL.

The SigRL returned by IAS is not signed (by IAS), meaning it could have been modified before we use it in sgx_get_quote.

I'm assuming that if we ignore the first IAS query that IAS still knows whether the processor is legitimate, up to date, and not blacklisted.

 

  1. Is it safe to ignore the first IAS query, i.e. not do Get SigRL but only do get Get Report, using a NULL p_sig_rl? Will remote attestation still work correctly?
  2. If we can invoke Get Report directly without the SigRL, then what is the point of doing the extra step Get SigRL?
Labels (2)
Labels:
0 Kudos
1 Solution
JesusG_Intel
Moderator
‎05-19-2022 12:56 PM
1,049 Views
Solved Jump to solution

Hello Daniel, I finally have an answer for you. You must always get the SigRL from IAS. If the SigRL gets tampered with in any way, the platform, whether it's valid or not, will fail attestation because the IAS will know that the platfrom's report does not contain the appropriate SigRL.


An EPID group can have valid platforms and revoked/invalid platforms. The SigRL contains signatures of revoked platforms in an EPID group. If a valid platform signs it's quote with an empty SigRL and it is part of an EPID group that has revoked platforms in it (the SigRL is not supposed to be empty), then that valid platform will fail.

 

An empty SigRL list exists only for EPID groups without any revoked platforms. You can send empty SigRLs only to platforms in clean EPID groups.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

Copy link

Link Copied

4 Replies
JesusG_Intel
Moderator
‎05-09-2022 11:33 AM
1,098 Views
Solved Jump to solution

Hello Daniel,


You mention good points. We are checking with our internal resources and will update you as soon as we have a response.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
JesusG_Intel
Moderator
‎05-19-2022 12:56 PM
1,050 Views
Solved Jump to solution

Hello Daniel, I finally have an answer for you. You must always get the SigRL from IAS. If the SigRL gets tampered with in any way, the platform, whether it's valid or not, will fail attestation because the IAS will know that the platfrom's report does not contain the appropriate SigRL.


An EPID group can have valid platforms and revoked/invalid platforms. The SigRL contains signatures of revoked platforms in an EPID group. If a valid platform signs it's quote with an empty SigRL and it is part of an EPID group that has revoked platforms in it (the SigRL is not supposed to be empty), then that valid platform will fail.

 

An empty SigRL list exists only for EPID groups without any revoked platforms. You can send empty SigRLs only to platforms in clean EPID groups.


Sincerely,

Jesus G.

Intel Customer Support


Copy link
JesusG_Intel
Moderator
‎05-25-2022 12:09 PM
1,027 Views
Solved Jump to solution

Hello Daniel,


I hope the information on SigRL that I provided to you answers your question.


I will close this thread now and Intel will no longer monitor it. Please start a new thread if you need further help.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
Daniel_ˢᵍˣ
New Contributor I
‎05-27-2022 07:22 AM
999 Views
Solved Jump to solution
In response to JesusG_Intel

Hello Jesus,

Thank you, it does!

Daniel

In response to JesusG_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.