In my application there are 3 three entities:
A: Host application that communicates to B and C. A is running the SGX enclave.
B: Can be considered as RP. It remotely attests A and creates a secure channel. It has internet connectivity to get a report from IAS.
C: This entity also does remote attestation for A, but doesn't have Internet connectivity.
C can remotely attest A if A or B can retrieve the IAS report and forwards it to C. C verifies the signature of IAS on the report and also checks the validity of MRENCLAVE.
My question is, as B is already retrieving the report for that enclave if A can retrieve that report from B and forwards it to C. Would that work? Are there any session-specific values in the attestation proof/attestation report generated by IAS? If yes, can you please elaborate a bit or point me in the right direction?
Both B and C always attest to the same instance of the enclave at the same time. So, B always has a fresh attestation report.
You are pretty much describing setting up an internal attestation service. You can do this with the Intel SGX Datacenter Attestation Primitives. This allows you to attest enclaves within your network without having to always connect to the IAS. Check out the Intel® SGX Data Center Attestation Primitives Orientation Guide for more information.
That was helpful. But in my case, C can't have network connectivity even to an internal attestation service. C is only connected to A. So, the only option to retrieve the attestation report is through A.
If C is trying to attest A, do you think it's a good idea to trust A to provide the correct attestation material? You are asking if C can trust A before it can attest A. The whole point of attestation is to use a trusted 3rd party (IAS) to provide the reports so that the challenging entities (B and C) can attest that A is trustworthy. You should download the attestation reports from IAS and cache it in a local network-attached database that is accessible by B and C so that they can attest A. If C is only attached to A, then why does it need to attest A? It sounds like C is dependent on A for everything, so C must trust A implicitly.
I consulted with some folks who are much smarter than me and you are right, this is possible to do. They recommend that you implement a freshness check to make sure the report is up to date. You will want to re-attest the platform based on your own policy. Intel provides the documentation for the DCAP APIs but the implementation is really up the customer since there are so many ways to do this.