Improve Enclave Security

Access cloud services for remote attestation using enhanced privacy ID (EPID) and provisioning certificates. Intel provides code and tools that allow service providers to build and offer their own Intel® Software Guard Extensions (Intel® SGX) attestation service.

Provider Information

Two forms of attestation are supported: local and remote. For both cases, the protected portions of the application load into an enclave that measures its code and data, and generates a report.

Get Started

To enroll into attestation services, implement the remote attestation service capability in your application. For more information, see API documentation.

Then ensure the following is in place:

Local Attestation

Two enclaves on the same platform use their reports to provide some authentication to each other. After establishing such authenticity, they exchange information on a channel with more protection. An additional hardware or software infrastructure, or a connection to a remote attestation service is not required.

Remote Attestation

An enclave sends a quote to a relying party's (RP) remote service. The RP then achieves some validation on whether an authentic Intel® processor generated it. The RP can then have more trust in the enclave authenticity and more securely provision keys, credentials, or data.

Client PCs

For privacy-focused use on PCs or workstations, developers can access an attestation service from Intel to submit and help verify attestation evidence for enclaves. To provision its EPID key, this form of remote attestation requires that the user's system has access to the internet.

The primary role of an attestation service is to help provide some verification that the RP seeking to gain more trust in a remote enclave submits an EPID quote. The service then provides some verification on the quote's EPID signature, establishing some verification that a member of a valid EPID group signed it.

Figure 1

Enterprise, Data Center, & Cloud Service Providers

These providers may build and deliver their own attestation service instead of using the remote attestation service from Intel. The attestation service receives all attestation requests, eliminating the need for relying parties to have internet access.

Intel® Software Guard Extensions Data Center Attestation Primitives and provisioning certification services support enclave attestation and platform provisioning for third-party attestation services through:

  • Open-source primitives
  • Software
  • Libraries

For more information, see Fig. 1.

White Paper

Provisioning Certification Service (PCS)

This set of publicly accessible APIs allow attestation service providers to deliver the following for their Intel SGX enclave-specific computing platforms:

  • Provisioning certificates
  • Revocation lists
  • Trusted computing base information

Attestation Support