Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

SGX Attestation (Windows)

bashar__golam
Beginner
1,300 Views

I am new in Intel SGX and doing an academic project. I built an app with performing random number from ecall. Now, I need to perform a simple  attestation thus it proves i am using enclave (Intel SGX). How to perform it?

enclave { /*.edl file */

from "sgx_tstdc.edl" i

mport *; trusted { public void foo([out] int *a);

};

};

0 Kudos
9 Replies
Scott_R_Intel
Employee
1,300 Views

Hi Golam.

We have a full end-to-end remote attestation whitepaper as well its associated sample available on GitHub.

https://software.intel.com/en-us/articles/code-sample-intel-software-guard-extensions-remote-attestation-end-to-end-example

https://github.com/intel/sgx-ra-sample

Regards.

Scott

0 Kudos
bashar__golam
Beginner
1,300 Views

Hi Scott,

Thanks for reply. But, I don't need to perform Remote Attestation. I just need to proof that I am using SGX. Can you please give a link or sample code that might be like this (A solution having 3 enclaves. encalve 1 and enclave 2 perform that user is using SGX and enclave3 is what i given above). I am working in Windows OS.

0 Kudos
Scott_R_Intel
Employee
1,300 Views

Hi again Golam.

My apologies that I misunderstood.

If I understand correctly now, and looking at some of your other questions, I think you should take a look at the LocalAttestation sample project included with the SGX SDK.  In it, there are three enclaves, each of which attest to each other and then make secure calls to each other.

Hope this helps.

Scott

0 Kudos
kh__Naveen
Beginner
1,300 Views

@Scott R. As you suggested, I am looking at the local attestation example provided in the SDK.

AFAIK to verify 2 enclaves locally, one enclave needs to generate a report on itself and provide the same to the other enclave. The other enclaves derives a key by calling some API and only then it can decrypt the report and check if the other enclave is genuine. But in this example I dont see any code doing that. Could you please point out where exactly in the code is it being done? The only code which was related to verification of the enclave was this -

//Function that is used to verify the trust of the other enclave
//Each enclave can have its own way verifying the peer enclave identity
extern "C" uint32_t verify_peer_enclave_trust(sgx_dh_session_enclave_identity_t* peer_enclave_identity)
{
    if(!peer_enclave_identity)
    {
        return INVALID_PARAMETER_ERROR;
    }
    if(peer_enclave_identity->isv_prod_id != 0 || !(peer_enclave_identity->attributes.flags & SGX_FLAGS_INITTED))
        // || peer_enclave_identity->attributes.xfrm !=3)// || peer_enclave_identity->mr_signer != xx //TODO: To be hardcoded with values to check
    {
        return ENCLAVE_TRUST_ERROR;
    }
    else
    {
        return SUCCESS;
    }
}

 

0 Kudos
kh__Naveen
Beginner
1,300 Views

Scott R. (Intel) wrote:

Hi again Golam.

My apologies that I misunderstood.

If I understand correctly now, and looking at some of your other questions, I think you should take a look at the LocalAttestation sample project included with the SGX SDK.  In it, there are three enclaves, each of which attest to each other and then make secure calls to each other.

Hope this helps.

Scott

 

Dear Scott, could you please reply to my query in the previous post. It would be of great help as I am stuck with this from quite a long time.

0 Kudos
Scott_R_Intel
Employee
1,300 Views

Hi Naveen.

In this particular local attestation example, that's the exact function you need to be looking at.  See the TODO at the end of commented out line #10... 

peer_enclave_identity->mr_signer != xx //TODO: To be hardcoded with values to check

Your MRSIGNER needs to be hardcoded in there... that's the main check.

Scott

0 Kudos
kh__Naveen
Beginner
1,300 Views

Scott R. (Intel) wrote:

Hi Naveen.

In this particular local attestation example, that's the exact function you need to be looking at.  See the TODO at the end of commented out line #10... 

peer_enclave_identity->mr_signer != xx //TODO: To be hardcoded with values to check

Your MRSIGNER needs to be hardcoded in there... that's the main check.

Scott

Thank you for the reply Scott. In the section LOCAL ATTESTATION, in Intel SGX Developer's Guide, it is written that a report will be sent to the target enclave. Then the target enclave needs to call EGETKEY to derive a key and open the report. But I dont see any of this happening in the code :(. So  I am a little bit confused.

0 Kudos
bashar__golam1
Beginner
1,300 Views

Hello,

Can anyone explain what following function doing?

 status = marshal_input_parameters_e2_foo1(target_fn_id, msg_type, var1, var2, &minp, &minp_len);
    if(status != SUCCESS)
    {
        return status;
    }

 std::map<sgx_enclave_id_t, dh_session_t>::iterator it = g_src_session_info_map.find(dest_enclave_id);
    if(it != g_src_session_info_map.end())
    {
          dh = &it->second;
    }
    else
    {
        SAFE_FREE(minp);
        return INVALID_SESSION;
    }
    status = send_request_receive_response(src_enclave_id, dest_enclave_id, dh, minp, minp_len, max_op_size, &op, &op_len);
    if(status != SUCCESS)
    {
        SAFE_FREE(minp);
        SAFE_FREE(op);
        return status;
    }

    status = unmarshal_retval_and_output_parameters_e2_foo1(op, &retval);
    if(status != SUCCESS)
    {
        SAFE_FREE(minp);
        SAFE_FREE(op);
        return status;
    }

0 Kudos
kh__Naveen
Beginner
1,300 Views

Hi Bashar,

The code is marshalling, i.e filling a structure with data, and sending it over to the other enclave. The other enclave processes the data and sends over the results. The results will then be unmarshalled and verified.

0 Kudos
Reply