Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

[eHSM-KMS] How is the remote attestation realized?

T_Tsuga
Beginner
1,318 Views

Hello everyone,

 

  I am developing a system using eHSM-KMS.

  In the process, I am currently having trouble understanding how the remote attestation works.

 

 

  I have added logs to the eHSM-KMS source code to investigate remote attestation,
  The only thing I could figure out is that it is using SSL communication between DkeyServer and DkeyCache using OpenSSH.

  We also could only find that the self-certification function (tee_get_certificate_with_evidence) generated an error (SGX_OL_NETWORK_ERROR:0xe019) when the PCCS server did not exist.

  What kind of communication is going on between PCCServer, DkeyServer and DkeyCache?

 

  What I would like to know is as follows.
     When does eHSM-KMS communicate with the PCCS server?
     What is passed when communicating with the PCCServer and what is obtained as a result?
  
 Regards,.
 T_Tsuga

 

0 Kudos
4 Replies
Iffa_Intel
Moderator
1,274 Views

Hi,


generally, attestation is the process of demonstrating that a software executable has been properly instantiated on a platform that allows a remote party to gain confidence that the intended software is securely running within an enclave on a fully patched, Intel SGX enabled platform.

 

This GitHub page has explanation of an End-to-End Distributed and Scalable Cloud KMS (Key Management System) built on top of Intel SGX enclave-based HSM (Hardware Security Module), aka eHSM. This might help to answer your question.

 


Cordially,

Iffa


0 Kudos
T_Tsuga
Beginner
1,256 Views

Hello Iffa_Intel,
 
 Thank you for your answer.
 I checked the site you mentioned.
 I understood that this is also a product of Intel Corporation.
 I would like to ask some questions about this eHSM-KMS.
 If you know, please let me know if there is an appropriate contact for this.
  
Regards, T_Tsuga

0 Kudos
Iffa_Intel
Moderator
1,208 Views

Hi,


While EHSM is an Intel product, the support team on the EHSM Github is the appropriate contact to answer your questions. You can open a Github Issues thread here: https://github.com/intel/ehsm/issues



Cordially,

Iffa


0 Kudos
Iffa_Intel
Moderator
1,159 Views

Hi,


Intel will no longer monitor this thread since we have provided a solution. If you need any additional information from Intel, please submit a new question. 


Cordially,

Iffa


Reply