- Measurement of the code and data in the enclave.
- A hash of the public key in the ISV certificate presented at enclave initialization time.
- The Product ID and the Security Version Number (SVN) of the enclave.
- Attributes of the enclave, for example, whether the enclave is running in debug mode.
- User data included by the enclave in the data portion of the report structure. Allows establishing a secure channel bound to the remote attestation process so a remote server may provision secrets to the entity that has been attested.
- A signature block over the above data, which is signed by the Intel EPID group key.
An application that hosts an enclave can also ask the enclave to produce a report and then pass this report to a platform service to produce a type of credential that reflects enclave and platform state. This credential is known as quote. This quote can then be passed to entities off of the platform, and verified using techniques for Intel(R) EPID signature verification. As a result, the CPU key is never directly exposed outside the platform.
A quote includes the following data:
The enclave data contained in the quote (MRENCLAVE, MRSIGNER, ISVPRODID, ISVSVN, ATTRIBUTES, and so on.) is presented to the remote service provider at the end of the attestation process. This is the data the service provider will compare against to a trusted configuration to decide whether to render the service to the enclave.