Remote Attestation SP public key

Perissinotto__Alessi · ‎03-13-2019

Good morning!I have a doubt about the way in which the application and then the enclave discover the public key of the service provider it wants to communicate with during the remote attestation process. In the white paper of the remote attestation sample it is both said that the function sgx_ra_init takes in input the public key of the SP and the same public key of the SP must be hardcoded inside the enclave. So my doubt is, when is this key provided to the application? Along with the challenge at the very beginning of the Remote attestaion process?

Thank you so much

Alessia

Scott_R_Intel · ‎03-15-2019

Hi Alessia.

Which white paper are you speaking of? If you look at the SGX End-to-End Remote Attestation Code Sample article and it's associated code (links below), you will see the SP key is hard coded in the enclave (search for def_service_public_key) just as you mention, and is ultimately passed into sgx_ra_init. I'm not sure I understand your exact question, so if the links below don't answer it, please feel free to reply.

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example

https://github.com/intel/sgx-ra-sample

https://software.intel.com/en-us/sgx-sdk-dev-reference-sgx-ra-init

Regards.

Scott

Perissinotto__Alessi · ‎03-15-2019

Yes! This is what I was talking about! So how it is possible that the key is hardcoded inside the enclave? Does each machine contains a list of public key that are injected at manufacturing time?

Thank you

Alessia

Scott_R_Intel · ‎03-15-2019

Hi again.

The public key is simply compiled into the enclave, as it is in the SGX RA sample I gave. When you build the enclave that is going to use attestation, you must already know the SP you plan to use and therefore know/have access to their public key. You can't decide at runtime which SP you are going to use, if that's what you're thinking.

Scott

Perissinotto__Alessi · ‎03-15-2019

What i cannot understand is how the enclave at the moment of its creation knows the public key of the SP that is going to talk with.

Please,

Alessia

Scott_R_Intel · ‎03-15-2019

Apologies for the back and forth, but I'm still obviously not understanding your misunderstanding.

You, as the developer, have to decide ahead of enclave build time who your RA SP will be. Most (all?) enclave developers who use RA run their own SP service, and therefore coordinated the creation of the SP key pair before they built their enclaves that use RA. Even if you planned to use "SP as a service" from some other entity, you would need to get their public key before you built your enclave and statically compile it in such that it is measured/signed with the enclave and therefore cannot be changed.

Scott

Mai__Anthony · ‎06-05-2019

I am starting to learn to figure out how SGX works and googling def_service_public_key leads me here.

My question is, who is the entity that holds the private key associated with that particular public key, 0x72, 0x12, 0x8a, 0x7a ....

Is it the Intel's production ra server, the test server, or nobody holds the private key and developers should replace the above mentioned public key accordingly. In another word, is that particular key just a placeholder, or is it something for real?

Another question I am more interested in is, can you show me the precise code spot where the enclave obtains its private key and then proceed to sign the report used for attestation? Is the code in the sgx driver, in application enclave code, or some where else? I need to find that spot of the code to understand the logical flow under the hood. Thanks.