Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1521 Discussions

Retrieve attesation key certificate

ChrisCode
Novice
‎05-16-2023 04:02 PM
1,898 Views
Solved Jump to solution

The Quoting Enclave (QE) generates an attestation key (AK), signed by the Provisioning Certification Enclave (PCE), which is then used to sign the report and the ECDSA quote.

How do you get the AK certificate from outside the QE to verify the certificate chain up to the Intel root CA certificate? I am trying to build a report verification system in golang.   

Thanks for your help!

0 Kudos
1 Solution
Zulkifli_Intel
Moderator
‎05-19-2023 05:01 PM
1,767 Views
Solved Jump to solution

Hi ChrisCode

 

In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.

 

For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.

 

For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.

 

The Intel DCAP Product Brief explains how all these pieces fit together.

 

 

Sincerely,

Zulkifli


View solution in original post

Copy link

Link Copied

5 Replies
Zulkifli_Intel
Moderator
‎05-17-2023 09:56 AM
1,860 Views
Solved Jump to solution

Hello ChrisCode,

Thank you for reaching out to us.

 

I'm looking into this matter and have an answer for you as soon as possible.

 

Sincerely,

Zulkifli 


0 Kudos
Copy link
Zulkifli_Intel
Moderator
‎05-17-2023 07:13 PM
1,839 Views
Solved Jump to solution

Hi ChrisCode,

 

The Quote Enclave (QE) generates a unique asymmetric Attestation Key (AK). The QE provides the Provisioning Certification Enclave (PCE) with the attestation public key.

 

Since QE receives REPORTs from other enclaves, verifies them, and signs with the AK before returning the results, therefore AK may not be obtained from outside of the QE.

 

Here are some of the reasons why the AK may not be obtained from outside of the QE. The first reason is that the AK is stored in a secure enclave in memory, which is a protected area of memory that is inaccessible to the rest of the system, in order to prevent unauthorized access.

 

Another reason is that the AK is encrypted using a memory encryption key and it's not accessible. This encryption prevents an attacker from simply reading the AK from memory.

 

 

Sincerely,

Zulkifli

0 Kudos
Copy link
ChrisCode
Novice
‎05-19-2023 09:30 AM
1,784 Views
Solved Jump to solution
In response to Zulkifli_Intel

Thanks for you answer. Of course the private part of the attestation key must stay in the enclave. But this was not my question. 

I currently still don't understand how to verify the authenticity of the ECDSA attestation public key, that we receive as part of the quote. (Page 65, Table 4). In this paper it says: "The PCE authenticates the request and issues a certificate-like structure identifying the QE and the Attestation Key (3)." (section 3.1) Thats why I thought there is also a certificate for the AK. 

AMD SEV(-SNP) for example signs the reports with the Versioned Chip endorsement key (VCEK) and one can verify the VCEK simply with its corresponding certificate. 

 

Or is it meant the following way:

As stated in the documentation, we trust the QE, since it is an "Intel signed enclave that is trusted by the attestation infrastructure".

I looked at the DCAP quote verification library and the verification function takes additional quote collateral data (struct sgx_ql_qve_collateral_t), which contains data that is necessary to verify the quote, like QE identity structure.

So, by verifying the signature of this QE identity structure we can verify the QE. Does this now mean, that we can trust the AKs generated by the QE, which are used to sign the attestation reports? And we don't need to verify the AK public key in the quote?  

 

In response to Zulkifli_Intel
0 Kudos
Copy link
Zulkifli_Intel
Moderator
‎05-19-2023 05:01 PM
1,768 Views
Solved Jump to solution

Hi ChrisCode

 

In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.

 

For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.

 

For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.

 

The Intel DCAP Product Brief explains how all these pieces fit together.

 

 

Sincerely,

Zulkifli


Copy link
Zulkifli_Intel
Moderator
‎05-22-2023 08:08 AM
1,697 Views
Solved Jump to solution

This thread will no longer be monitored since this issue has been resolved. If you need any additional information from Intel, please submit a new question. 


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.