Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Retrieve attesation key certificate

ChrisCode
Novice
852 Views

The Quoting Enclave (QE) generates an attestation key (AK), signed by the Provisioning Certification Enclave (PCE), which is then used to sign the report and the ECDSA quote.

How do you get the AK certificate from outside the QE to verify the certificate chain up to the Intel root CA certificate? I am trying to build a report verification system in golang.   

Thanks for your help!

0 Kudos
1 Solution
Zulkifli_Intel
Moderator
721 Views

Hi ChrisCode

 

In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.

 

For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.

 

For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.

 

The Intel DCAP Product Brief explains how all these pieces fit together.

 

 

Sincerely,

Zulkifli


View solution in original post

5 Replies
Zulkifli_Intel
Moderator
814 Views

Hello ChrisCode,

Thank you for reaching out to us.

 

I'm looking into this matter and have an answer for you as soon as possible.

 

Sincerely,

Zulkifli 


0 Kudos
Zulkifli_Intel
Moderator
793 Views

Hi ChrisCode,

 

The Quote Enclave (QE) generates a unique asymmetric Attestation Key (AK). The QE provides the Provisioning Certification Enclave (PCE) with the attestation public key.

 

Since QE receives REPORTs from other enclaves, verifies them, and signs with the AK before returning the results, therefore AK may not be obtained from outside of the QE.

 

Here are some of the reasons why the AK may not be obtained from outside of the QE. The first reason is that the AK is stored in a secure enclave in memory, which is a protected area of memory that is inaccessible to the rest of the system, in order to prevent unauthorized access.

 

Another reason is that the AK is encrypted using a memory encryption key and it's not accessible. This encryption prevents an attacker from simply reading the AK from memory.

 

 

Sincerely,

Zulkifli

0 Kudos
ChrisCode
Novice
738 Views

Thanks for you answer. Of course the private part of the attestation key must stay in the enclave. But this was not my question. 

I currently still don't understand how to verify the authenticity of the ECDSA attestation public key, that we receive as part of the quote. (Page 65, Table 4). In this paper it says: "The PCE authenticates the request and issues a certificate-like structure identifying the QE and the Attestation Key (3)." (section 3.1) Thats why I thought there is also a certificate for the AK. 

AMD SEV(-SNP) for example signs the reports with the Versioned Chip endorsement key (VCEK) and one can verify the VCEK simply with its corresponding certificate. 

 

Or is it meant the following way:

As stated in the documentation, we trust the QE, since it is an "Intel signed enclave that is trusted by the attestation infrastructure".

I looked at the DCAP quote verification library and the verification function takes additional quote collateral data (struct sgx_ql_qve_collateral_t), which contains data that is necessary to verify the quote, like QE identity structure.

So, by verifying the signature of this QE identity structure we can verify the QE. Does this now mean, that we can trust the AKs generated by the QE, which are used to sign the attestation reports? And we don't need to verify the AK public key in the quote?  

 

0 Kudos
Zulkifli_Intel
Moderator
722 Views

Hi ChrisCode

 

In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.

 

For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.

 

For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.

 

The Intel DCAP Product Brief explains how all these pieces fit together.

 

 

Sincerely,

Zulkifli


Zulkifli_Intel
Moderator
651 Views

This thread will no longer be monitored since this issue has been resolved. If you need any additional information from Intel, please submit a new question. 


0 Kudos
Reply