Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

SGx client enclave to IAS

Mashiro_M_1
Beginner
‎11-13-2016 10:47 AM
390 Views

Hi,

I'm trying to learn SGx application development, and am now at Remote Attestation. And been learning about it in this article: (https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example)

 

As I understand, remote attestation is a necessary part for an enclave (in the target/user platform) to become usable, it should be able to attest towards an ISV's Provisioning Server which in turn is connected to Intel's Attestation Server.

Client (with SGx attesting enclave) <------->  ISV Provisioning Server <------> Intel IAS

 

Is this two-tier approach a mandatory setup?

Is it possible to not have the Provisioning Server in between, and have the client connect/attest directly towards IAS?

Like so: Client (with SGx enclave ) <--------------> IAS

 

0 Kudos

Link Copied

1 Reply
Rodolfo_S_
New Contributor III
‎11-14-2016 08:11 AM
390 Views

Hi, Mashiro.

Remote Attestation is *not* mandatory for an enclave to be usable in a customer's/target client machine.

The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the  ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.

Cheers,

Rodolfo

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.