Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Mashiro_M_1
Beginner
86 Views

SGx client enclave to IAS

Hi,

I'm trying to learn SGx application development, and am now at Remote Attestation. And been learning about it in this article: (https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-...

 

As I understand, remote attestation is a necessary part for an enclave (in the target/user platform) to become usable, it should be able to attest towards an ISV's Provisioning Server which in turn is connected to Intel's Attestation Server.

Client (with SGx attesting enclave) <------->  ISV Provisioning Server <------> Intel IAS

 

Is this two-tier approach a mandatory setup?

Is it possible to not have the Provisioning Server in between, and have the client connect/attest directly towards IAS?

Like so: Client (with SGx enclave ) <--------------> IAS

 

0 Kudos
1 Reply
Rodolfo_S_
New Contributor III
86 Views

Hi, Mashiro.

Remote Attestation is *not* mandatory for an enclave to be usable in a customer's/target client machine.

The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the  ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.

Cheers,

Rodolfo

Reply