-
Notifications
You must be signed in to change notification settings - Fork 2
Intel Software Guard Extension (SGX)
Intel Software Guard Extension comprises a series of extensions to the Intel processor architecture that are intended to ensure that sensitive computations can be executed confidentially even in untrusted environments (such as virtual machines from cloud service providers).
To ensure this, Intel SGX reserves certain memory areas for code called "enclaves." This code is isolated from the rest of memory and protected from access from non-enclave areas. When such "enclaves" are initially built, measurements are taken that are combined at the end to form a hash that reflects the "identity" of the enclave (MRENCLAVE). At the same time, an enclave can be signed with an RSA key by the creator, creating another enclave identity (MRSIGNER), which is a SHA-2 hash of the modulus of the public RSA key.
An enclave can attest itself to other enclaves. This verifies that the software was properly initiated in an environment. Enclaves can attest either locally or remotely.
To attest locally to other enclaves, Intel SGX provides the EREPORT instruction. This generates a structure called REPORT, which contains the two identities of the enclave, attributes associated with the enclave, the trustworthiness of the trusted computing base, other optional information, and a message authentication code (which is generated using a report key that can be retrieved via the EGETKEY instruction).
If an enclave wants to attest to another enclave, it creates a REPORT and sends it to the other enclave. The other enclave can then verify this REPORT using its own report key and thus ensure that the attesting enclave is actually running on the same platform and is therefore subject to the Intel SGX security model.
In order for an enclave to be able to attest itself to a remote service (so that sensitive data can be loaded into the enclave, for example), an asymmetrical procedure is required for local attestation in contrast to the symmetrical encryption procedure of the REPORTS. To achieve this, Intel has introduced another module, the Quoting Enclave, which only deals with remote attestation. The Quoting Enclave verifies REPORTs from other enclaves via Local Attestation and replaces the MAC with a signature generated with a private asymmetric key.
The first form of Remote Attestation was Remote Attestation via EPID (Intel® Enhanced Privacy ID). First, a challenge is sent from the remote service to the application. The application has access to the identity of the quoting enclave and forwards the challenge along with this identity to the application enclave. The application enclave generates a manifest containing the solution to the challenge and a public key (for communicating with the challenger). It then generates a hash digest of this manifest and a REPORT. The hash digest is added to the REPORT, which is then sent back to the application. The application forwards the received REPORT to the Quoting Enclave, which verifies it and then forms a QUOTE structure from it. This is signed with the EPID key and given back to the application. The application then sends the received QUOTE to the challenger, which can verify it using an EPID public certificate. The Challenger receives this Public Certificate from the Intel Attestation Service, an API provided by Intel.
EPID is mainly used by client machines and requires a call to the Intel Attestation Service and the use of EPID keys for each attestation. For use in data centers and for cloud providers, Intel later developed Remote Attestation via Data Center Attestation Primitives. The difference to EPID is that with DCAP, it is now possible to use arbitrary quoting enclaves that can generate their own Attestation keys. To implement this, Intel has introduced another building block, the Provisioning Certification Enclave (PCE). This serves as a local certificate authority for the quoting enclaves.
The quoting enclave makes its attestation public key available to the PCE. The PCE uses this to create a certificate-like structure and signs it with a Trusted Computing Base-specific key, the Provisioning Certification Key (PCK). The certificate for the PCK comes from an Intel service called Provisioning Certification Service (PCS). This creates a complete signature chain from the Quoting Enclave quotes to an Intel CA. Another advantage of DCAP compared to EPID is that the certificates of the PCKs for different TCBs do not have to be queried by Intel's PCS for each attestation, but can be stored temporarily and only have to be queried again at certain intervals.