Improve Enclave Security
Access cloud services for remote attestation using enhanced privacy ID (EPID) and provisioning certificates. Intel provides code and tools that allow service providers to build and offer their own Intel® Software Guard Extensions (Intel® SGX) attestation service.
Two forms of attestation are supported: local and remote. For both cases, the protected portions of the application load into an enclave that measures its code and data, and generates a report.
To enroll into attestation services, implement the remote attestation service capability in your application. For more information, see API documentation.
Then ensure the following is in place:
Two enclaves on the same platform use their reports to provide some authentication to each other. After establishing such authenticity, they exchange information on a channel with more protection. An additional hardware or software infrastructure, or a connection to a remote attestation service is not required.
An enclave sends a quote to a relying party's (RP) remote service. The RP then achieves some validation on whether an authentic Intel® processor generated it. The RP can then have more trust in the enclave authenticity and more securely provision keys, credentials, or data.
For privacy-focused use on PCs or workstations, developers can access an attestation service from Intel to submit and help verify attestation evidence for enclaves. To provision its EPID key, this form of remote attestation requires that the user's system has access to the internet.
The primary role of an attestation service is to help provide some verification that the RP seeking to gain more trust in a remote enclave submits an EPID quote. The service then provides some verification on the quote's EPID signature, establishing some verification that a member of a valid EPID group signed it.
These providers may build and deliver their own attestation service instead of using the remote attestation service from Intel. The attestation service receives all attestation requests, eliminating the need for relying parties to have internet access.
Intel® Software Guard Extensions Data Center Attestation Primitives and provisioning certification services support enclave attestation and platform provisioning for third-party attestation services through:
- Open-source primitives
For more information, see Fig. 1.