You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Enclave Identity issued by Intel requires following steps:
Retrieve Enclave Identity(SGX QE, TDX QE or QVE) from PCS and verify that it is a valid structure issued by Intel.
Perform the following comparison of SGX Enclave Report against the retrieved Enclave Identity:
a. Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in Enclave Identity.
b. Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in Enclave Identity.
c. Apply miscselectMask (binary mask) from Enclave Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in Enclave Identity.
d. Apply attributesMask (binary mask) from Enclave Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in Enclave Identity.
If any of the checks above fail, the identity of the enclave does not match Enclave Identity published by Intel.
Determine a TCB status of the Enclave:
a. Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in Enclave Identity structure.
b. Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
c. If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.
The quoting enclave ID needs to be verified.
The access point for the id and what to check is documented here, https://api.portal.trustedservices.intel.com/documentation#pcs-enclave-identity-v4
SGX SDK/DCAP implementation is here https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.16/QuoteVerification/QVL/Src/AttestationLibrary/src/QuoteVerification.cpp#L260
SignedQeIdentityVerifier
#105The text was updated successfully, but these errors were encountered: