- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
During remote attestation the Service Provider, SP, has to query IAS for two things:
- Get SigRL(gid)
- Get Report(quote)
In the function sgx_get_quote the p_sig_rl argument can be NULL.
The SigRL returned by IAS is not signed (by IAS), meaning it could have been modified before we use it in sgx_get_quote.
I'm assuming that if we ignore the first IAS query that IAS still knows whether the processor is legitimate, up to date, and not blacklisted.
- Is it safe to ignore the first IAS query, i.e. not do Get SigRL but only do get Get Report, using a NULL p_sig_rl? Will remote attestation still work correctly?
- If we can invoke Get Report directly without the SigRL, then what is the point of doing the extra step Get SigRL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel, I finally have an answer for you. You must always get the SigRL from IAS. If the SigRL gets tampered with in any way, the platform, whether it's valid or not, will fail attestation because the IAS will know that the platfrom's report does not contain the appropriate SigRL.
An EPID group can have valid platforms and revoked/invalid platforms. The SigRL contains signatures of revoked platforms in an EPID group. If a valid platform signs it's quote with an empty SigRL and it is part of an EPID group that has revoked platforms in it (the SigRL is not supposed to be empty), then that valid platform will fail.
An empty SigRL list exists only for EPID groups without any revoked platforms. You can send empty SigRLs only to platforms in clean EPID groups.
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel,
You mention good points. We are checking with our internal resources and will update you as soon as we have a response.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel, I finally have an answer for you. You must always get the SigRL from IAS. If the SigRL gets tampered with in any way, the platform, whether it's valid or not, will fail attestation because the IAS will know that the platfrom's report does not contain the appropriate SigRL.
An EPID group can have valid platforms and revoked/invalid platforms. The SigRL contains signatures of revoked platforms in an EPID group. If a valid platform signs it's quote with an empty SigRL and it is part of an EPID group that has revoked platforms in it (the SigRL is not supposed to be empty), then that valid platform will fail.
An empty SigRL list exists only for EPID groups without any revoked platforms. You can send empty SigRLs only to platforms in clean EPID groups.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel,
I hope the information on SigRL that I provided to you answers your question.
I will close this thread now and Intel will no longer monitor it. Please start a new thread if you need further help.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page