What types of Attestation for Intel® Software Guard Extensions (Intel® SGX) exist and how do those relate to access?
There are two types of attestations for Intel SGX – local attestation and remote attestation. Local attestation occurs between two enclaves on the same client platform and does not require access to Intel’s provisioning or attestation services. Remote attestation involves an enclave proving its trustworthiness to a backend service. Depending on the stage of their development process (see Development / Production Services questions below), once a developer or Licensee obtains access to Intel’s services, they can use the attestation service to facilitate establishing a trust relationship between enclaves.
How frequently should my application request attestation of its enclave?
The frequency of requests should be determined by the application requirements. There may be applications that perform attestation once or rarely – an example being a one-time attestation with an application server to download a product license key or other critical sensitive application material (sealed to the client platform). For closed environments – IT could perform a one-time provisioning / attestation of platforms when building the platforms prior to bringing the systems into the closed environment. On the other end of the spectrum, multiple attestations may occur in DRM- or transaction-based applications. Such applications will likely implement a periodic attestation challenge to client machines when they refresh encryption and licensing keys.
How do “Development Services” differ from “Production Services”?
While Intel strives to provide a high level of uptime / availability for all Services environments, high availability of the Production Services environment is prioritized. Other differences include:
- Requirements for access: Enrollment for Production Services requires a signed Commercial Use License Agreement and the completion of certain technical onboarding steps, including providing a certificate signed by a well-known certificate authority.
- Utilization: Production services will only be leveraged by shipping applications, thus servicing a potentially large number of clients with a limited number of requests per client. Development services are intended for developers working on attestation service development usages and thus may have a relatively small number of clients but potentially a large number of requests per client – especially for the validation / stress testing platforms.
Can I use my “Development Services access” for my production application?
Production applications / solutions should use the Production Services environment endpoints for making service calls.
Does Intel provide a Service Level Agreement (SLA) for the provisioning and attestation services? How do I obtain one? Does Intel charge for the provisioning and attestation services for Intel SGX?
A basic level of service is provided for both Development (target 99.0%) and Production (target 99.9%) Services, but is not guaranteed. If your business or company requires a higher service level than the basic level of service, please contact your Intel representative for other options.
I want to run my own attestation service (or infrastructure) rather than use Intel’s. Can I do that?
Yes. If you can securely inject a key into an enclave, you can build an attestation infrastructure atop that. Intel does not prevent this type of development. A downside is that if you need to complete a Trusted Computing Base (TCB) recovery another secure key injection may be required.
How do I enroll into Production Services for Intel SGX?
Use the online process to submit the necessary information to Intel. After obtaining a commercial use license agreement and technical onboarding, licensees will be provided with the production service endpoints. Get started here.
Commercial Use License Agreement
What does a commercial use license agreement grant me access to?
Having a commercial use license agreement in place and completion of technical onboarding places the licensee’s key on the whitelist, which in turn allows the licensee’s application to create and run production enclaves.
Why do I have to apply for a commercial use license?
A commercial use license agreement is required to use the Production Services environment endpoints. Intel enters into a commercial use license agreement with companies that meet defined development and security standards. This entitles users of Licensee products utilizing Intel SGX to make certain assumptions about the software they are relying upon.
Do I need to have a commercial use license agreement in place if the debug enclave meets my needs?
No. But note, the SGX debug instructions (EDBGRD / EDBGWR) could be used to step into the debug enclave and expose / modify enclave content and behavior.
How long does it typically take Intel to review and disposition a commercial use license agreement request?
Intel treats requests for establishing a commercial use license agreement as a high priority and will work with you to establish an estimated timeframe for completion once we receive the details of your application. Please note that the actual time to disposition a request depends on the volume of requests being received, the accuracy of the information provided, and responsiveness to any follow-up / clarifications that may be needed.
What criteria does Intel use to determine whether or not someone is granted a commercial use license agreement?
Intel is interested in empowering developers to better protect their code and user / application data. Criteria include a developer’s ability to follow industry secure development practices and confirmation of the type of application being developed (avoiding malware, spyware, or other nuisance software). Please refer to the Intel SGX Licensee Guide for additional items.
What can I do if Intel does not approve my commercial use license agreement request?
If you believe your application and company have satisfied the listed standards, you can provide the appropriate data to your Intel contact and your application for a commercial use license agreement will be re-examined.
How is the whitelist related to the commercial use license agreement?
The whitelist is used as a control point to ensure that an application has authorization to create an enclave (trusted execution environment). Accounts enter into a commercial use license agreement with Intel must be added to the whitelist before their application leveraging Intel SGX technology is released.
How will I be notified of revocation actions?
If necessary, Intel will contact the authorized technical contact at the Licensee.