-
Notifications
You must be signed in to change notification settings - Fork 166
/
sgx_default_qcnl.conf
80 lines (68 loc) · 4.78 KB
/
sgx_default_qcnl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
// *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them.
//PCCS server address
"pccs_url": "https://localhost:8081/sgx/certification/v4/"
// To accept insecure HTTPS certificate, set this option to false
,"use_secure_cert": true
// You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK
// Certificates will always use the PCCS described in pccs_url. When collateral_service is not defined, both
// PCK Certs and verification collateral will be retrieved using pccs_url
//,"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/"
// Type of update to TCB Info. Possible value: early, standard. Default is standard.
// early indicates an early access to updated TCB Info provided as part of a TCB recovery event
// (commonly the day of public disclosure of the items in scope)
// standard indicates standard access to updated TCB Info provided as part of a TCB recovery event
// (commonly approximately 6 weeks after public disclosure of the items in scope)
//, "tcb_update_type" : "standard"
// If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used.
// The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while
// the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The pccs_api_version
// setting is ignored if collateral_service is set to the Intel PCS. In this case, the pccs_api_version is forced to be 3.1
// internally. Currently, only values of 3.0 and 3.1 are valid. Note, if you set this to 3.1, the PCCS use to retrieve
// verification collateral must support the new 3.1 APIs.
//,"pccs_api_version": "3.1"
// Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed.
// It will first wait one second and then for all forthcoming retries it will double the waiting time.
// By using retry_delay you disable this exponential backoff algorithm
,"retry_times": 6
// Sleep this amount of seconds before each retry when a transfer has failed with a transient error
,"retry_delay": 10
// If local_pck_url is defined, the QCNL will try to retrieve PCK cert chain from local_pck_url first,
// and failover to pccs_url as in legacy mode.
//,"local_pck_url": "http://localhost:8081/sgx/certification/v4/"
// If local_pck_url is not defined, set pck_cache_expire_hours to a none-zero value will enable local cache.
// The PCK certificates will be cached in memory and then to the disk drive.
// The local cache files will be sequentially searched in the following directories until located in one of them:
// Linux : $AZDCAP_CACHE, $XDG_CACHE_HOME, $HOME, $TMPDIR, /tmp/
// Windows : $AZDCAP_CACHE, $LOCALAPPDATA\..\..\LocalLow
// Please be aware that the environment variable pertains to the account executing the process that loads QPL,
// not the account used to log in. For instance, if QPL is loaded by QGS, then those environment variables relate to
// the "qgsd" account, which is the account that runs the QGS daemon.
// You can remove the local cache files either manually or by using the QPL API, sgx_qpl_clear_cache. If you opt to
// delete them manually, navigate to the aforementioned caching directories, find the folder named .dcap-qcnl, and delete it.
// Restart the service after all cache folders were deleted. The same method applies to "verify_collateral_cache_expire_hours"
,"pck_cache_expire_hours": 168
// To set cache expire time for quote verification collateral in hours
// See the above comment for pck_cache_expire_hours for more information on the local cache.
,"verify_collateral_cache_expire_hours": 168
// When the "local_cache_only" parameter is set to true, the QPL/QCNL will exclusively use PCK certificates
// from local cache files and will not request any PCK certificates from service providers, whether local or remote.
// To ensure that the PCK cache is available for use, an administrator must pre-populate the cache folders with
// the appropriate cache files. To generate these cache files for specific platforms, the administrator can use
// the PCCS admin tool. Once the cache files are generated, the administrator must distribute them to each platform
// that requires provisioning.
,"local_cache_only": false
// You can add custom request headers and parameters to the get certificate API.
// But the default PCCS implementation just ignores them.
//,"custom_request_options" : {
// "get_cert" : {
// "headers": {
// "head1": "value1"
// },
// "params": {
// "param1": "value1",
// "param2": "value2"
// }
// }
//}
}