Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Mashiro_M_1
Beginner
63 Views

SGx Client to IAS

Hi,

I am trying to learn SGx and am now at understanding Remote Attestation.

Been reading this article and the other references in it: https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example

 

As I understand, remote attestation is mandatory for an enclave to be usable in a customer's/target client machine. This client machine is connected towards the ISV's Provisioning Server which is then connected towards Intel's IAS... like so:

Client (with attesting SGx enclave)  <--------------------> ISV Provisioning Server <-------------------------> Intel IAS

 

Is this two-tier setup mandatory?

Will it be possible to just have the Client attest directly towards Intel IAS like so?  Client (with SGx) <---------------------------> Intel IAS

 

Please correct me if there is something wrong in my understanding.

Thanks.

 

 

0 Kudos
1 Reply
Rodolfo_S_
New Contributor III
63 Views

Hi, Mashiro.

Remote Attestation is *not* mandatory for an enclave to be usable in a customer's/target client machine.

The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the  ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.

Cheers,

Rodolfo

Reply