• 04/09/2016
  • Public Content

Application developers may wish to write enclaves which can co-operate with one another to perform some higher-level function. In order to do this, developers need a mechanism that allows an enclave to prove its identity and authenticity to another party within the local platform. Intel SGX provides a trusted hardware based mechanism for doing this. An enclave can ask the hardware to generate a credential, also known as report, which includes cryptographic proof that the enclave exists on the platform. This report can be given to another enclave who can verify that the enclave report was generated on the same platform. The authentication mechanism used for intra-platform enclave attestation uses a symmetric key system where only the enclave verifying the report structure and the enclave hardware creating the report know the key, which is embedded in the hardware platform.
An enclave report contains the following data:
  • Measurement of the code and data in the enclave.
  • A hash of the public key in the ISV certificate presented at enclave initialization time.
  • User data.
  • Other security related state information (not described here).
  • A signature block over the above data, which can be verified by the same platform that produced the report.
Local Attestation Example
The figure Local Attestation Example shows an example flow of how two enclaves on the same platform would authenticate each other.
  1. In the figure above, application A hosts enclave A and application B hosts enclave B. After the untrusted applications A and B have established a communication path between the two enclaves, enclave B sends its MRENCLAVE identity to enclave A.
    Note:
    Applications A and B can be the same application.
    There are two methods the application can use to retrieve the MRENCLAVE measurement for the enclave, either:
    • The application B retrieves the MRENCLAVE value from the enclave certificate for enclave B.
    • Enclave B supports an interface to export this value which is retrieved by creating a report with a random MRENCLAVE target measurement.
  2. Enclave A asks the hardware to produce a report structure destined for enclave B using the MRENCLAVE value it received from enclave B. Enclave A transmits its report to enclave B via the untrusted application.
    • As part of his report request, enclave A can also pass in a data block of its choosing referred to as the user data. Inclusion of the user data in the report provides the fundamental primitive that enables a trusted channel to terminate in the enclave.
  3. Once it has received the report from enclave A, enclave B asks the hardware to verify the report to affirm that enclave A is on the same platform as enclave B. Enclave B can then reciprocate by creating its own report for enclave A, by using the MRENCLAVE value from the report it just received. Enclave B transmits its report to enclave A.
  4. Enclave A then verifies the report to affirm that enclave B exists on the same platform as enclave A.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.