Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

SGx Client to IAS



I am trying to learn SGx and am now at understanding Remote Attestation.

Been reading this article and the other references in it:


As I understand, remote attestation is mandatory for an enclave to be usable in a customer's/target client machine. This client machine is connected towards the ISV's Provisioning Server which is then connected towards Intel's IAS... like so:

Client (with attesting SGx enclave)  <--------------------> ISV Provisioning Server <-------------------------> Intel IAS


Is this two-tier setup mandatory?

Will it be possible to just have the Client attest directly towards Intel IAS like so?  Client (with SGx) <---------------------------> Intel IAS


Please correct me if there is something wrong in my understanding.




0 Kudos
1 Reply
New Contributor III

Hi, Mashiro.

Remote Attestation is *not* mandatory for an enclave to be usable in a customer's/target client machine.

The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the  ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.



0 Kudos