-
英特尔SGX认证涵盖了在安全区中运行的软件的身份(例如MRENCLAVE和MRSIGNER),不可测量的状态(例如安全区模式(例如,调试与生产),安全区要与其自身关联的其他数据( (例如,描述软件配置的清单),以及与平台TCB的密码绑定。 该信息被捆绑到称为报告的数据结构中。 利害关系方检查报告中包含的属性,以决定飞地的可信度。
-
密钥导出图示(具体素材请看:SGX Key Properties)
- Root Provisioning Key(RPK):由iKGF生成的key,intel和SGX共同保存。
- Root Sealing Key(RSK):由iKGF生成的key,仅SGX保存。
- Provisioning key:通过EGETKEY指令获取,入参包含RPK,用于intel认证SGX
- 通过Provisioning key,与intel配置服务认证完成后,enclave和IAS会通过the EPID scheme Join protocol生成一对非对称key,enclave保存着的私钥叫做attestation key,用attestation key 对report签名,然后转发到IAS做远程认证。IAS仅有加密的member key(可以认为是生成attestation key的一个素材)。详细参考the EPID scheme Join protocol
- Provisioning Seal key:通过EGETKEY指令获取,入参包含RSK,对attestation key加密,然后可以封存在外部环境。
- Report key:通过EGETKEY指令获取,入参包含RPK,MRENCLAVE ,attributes,所以同一SGX平台上的enclave可以获取的和对端enclave一样的report key(需要提供自己MRENCLAVE ,attributes参数);因此本地认证时候,一个enclave用MAC算法加密的report,可以被同一SGX上的另一个enclave 验证。
- Seal key:通过EGETKEY指令获取,入参包含RPK,MRSIGNER,可以在enclave外部封存秘密
-
Software Properties used in Key Derivation
Field | Purpose |
MRENCLAVE | the SHA256 hash measurement of the enclave computed during enclave build |
MRSIGNER | the SHA256 hash of the public key used to sign the enclave’s SIGSTRUCT |
CPUSVN | a set of SVN of firmware components in the TCB. In the case where more than one updatable component is included in the TCB. |
ISVSVN | the SVN of the software component in the TCB assigned by the enclave signer [through SIGSTRUCT]. |
ISVPRODID | a product identifier, assigned by the enclave signer [through SIGSTRUCT], used for dividing the key space up. |
OwnerEpoch | a value provided by the platform, created when a new owner takes possession of the platform. |
-
Table 2: SGX Keys
Key | Purpose |
EINIT Token | EINIT Token creation Key |
Report | EREPORT verification key. |
Seal | Protects enclave secrets that need to be exposed outside the enclave for long term retention. |
Provisioning Seal | Attestation key provisioning enclave uses for protecting attestation keys for long term retention outside the enclave. |
Provisioning | Attestation key provisioning enclave’s uses for proving the platform is at the TCB it is claiming in the provisioning protocol. |
-
Table 3: SGX Key Properties
| Attributes | Seal Fuses | Owner Epoch | CPU SVN | ISV SVN | ISV PRODID | MRENCLAVE | MRSIGNER | RAND |
EINIT Token | Req | Yes | Yes | Req | Req | Yes | No | No | Req |
Report | Yes | Yes | Yes | Yes | No | No | Yes | No | Req |
Seal | Req | Yes | Yes | Req | Req | Yes | Req | Req | Req |
Provisioning | Req | No | No | Req | Req | Yes | No | Yes | Yes |
Provisioning Seal | Req | Yes | No | Req | Req | Yes | No | Yes | Yes |
-
Image 2. Full remote attestation flow [4]
| Attributes | Seal Fuses | Owner Epoch | CPU SVN | ISV SVN | ISV PRODID | MRENCLAVE | MRSIGNER | RAND |
EINIT Token | Req | Yes | Yes | Req | Req | Yes | No | No | Req |
Report | Yes | Yes | Yes | Yes | No | No | Yes | No | Req |
Seal | Req | Yes | Yes | Req | Req | Yes | Req | Req | Req |
Provisioning | Req | No | No | Req | Req | Yes | No | Yes | Yes |
Provisioning Seal | Req | Yes | No | Req | Req | Yes | No | Yes | Yes |
-
其他细节
-
membership key如何使用数学方法隐藏
-
通过 the EPID scheme Join protocol ,用加密的membership key作为EPID的素材,隐藏即就是加密
-
-
- Platform’s membership key和signed certificate形成的独特的EPID private key,然后如何生成attestation key?
- The attestation key itself is asymmetric (EPID keys).
- 细节在 EPID blind join protocol中,通过SGX ecosystem flowchart,看来,
- attestation key 的签名意义是啥,IAS如何去验证身份签名?
- attestation key即是EPID的一个私钥,IAS用组公钥验证签名,在Quote中有一个域为basename,通过对basename的签名去校验,确定是不是拥有合法的attestation key。