Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quoting enclave ID verifier #101

Closed
3 tasks done
Tracked by #3309
, #32
...
nick-mobilecoin opened this issue May 31, 2023 · 0 comments · Fixed by #105
Closed
3 tasks done
Tracked by #3309
, #32
...

Quoting enclave ID verifier #101

nick-mobilecoin opened this issue May 31, 2023 · 0 comments · Fixed by #105

Comments

@nick-mobilecoin
Copy link
Collaborator

nick-mobilecoin commented May 31, 2023
edited
Loading

The quoting enclave ID needs to be verified.
The access point for the id and what to check is documented here, https://api.portal.trustedservices.intel.com/documentation#pcs-enclave-identity-v4

Determining if the identity of a SGX Enclave (represented by SGX Enclave Report) matches a valid, up-to-date Enclave Identity issued by Intel requires following steps:

  1. Retrieve Enclave Identity(SGX QE, TDX QE or QVE) from PCS and verify that it is a valid structure issued by Intel.
  2. Perform the following comparison of SGX Enclave Report against the retrieved Enclave Identity:
    a. Verify if MRSIGNER field retrieved from SGX Enclave Report is equal to the value of mrsigner field in Enclave Identity.
    b. Verify if ISVPRODID field retrieved from SGX Enclave Report is equal to the value of isvprodid field in Enclave Identity.
    c. Apply miscselectMask (binary mask) from Enclave Identity to MISCSELECT field retrieved from SGX Enclave Report. Verify if the outcome (miscselectMask & MISCSELECT) is equal to the value of miscselect field in Enclave Identity.
    d. Apply attributesMask (binary mask) from Enclave Identity to ATTRIBUTES field retrieved from SGX Enclave Report. Verify if the outcome (attributesMask & ATTRIBUTES) is equal to the value of attributes field in Enclave Identity.
  3. If any of the checks above fail, the identity of the enclave does not match Enclave Identity published by Intel.
  4. Determine a TCB status of the Enclave:
    a. Retrieve a collection of TCB Levels (sorted by ISVSVNs) from tcbLevels field in Enclave Identity structure.
    b. Go over the list of TCB Levels (descending order) and find the one that has ISVSVN that is lower or equal to the ISVSVN value from SGX Enclave Report.
    c. If a TCB level is found, read its status from tcbStatus field, otherwise your TCB Level is not supported.

SGX SDK/DCAP implementation is here https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/DCAP_1.16/QuoteVerification/QVL/Src/AttestationLibrary/src/QuoteVerification.cpp#L260
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add SignedQeIdentityVerifier mobilecoinfoundation/attestation
1 participant
@nick-mobilecoin