Remote attestation: how to verify the quote read from /dev/attestation/quote?

[pbeza]

I've prepared a simple demo repository that prints the SGX quote by reading /dev/attestation/quote (I'm using DCAP attestation). It seems to work fine because it prints a quote (at least that's what I think, since it prints a random string of bytes; see below). Now: how can I verify that SGX quote? Is that quote all I need to provide to the SGX DCAP verifier? I know Intel provides a reference verifier implementation, but it is very poorly documented and difficult to use for me. Maybe you have some tips that will help me verify the quote?

In case you want to try out my demo:

$ cargo build
   Compiling gramine-attestation v0.1.0 (/home/ubuntu/gramine-attestation/gramine-attestation)
    Finished dev [unoptimized + debuginfo] target(s) in 0.17s

Process the manifest file (BTW: does it generate MRENCLAVE at this point?)

gramine-manifest -Dlog_level=error -Darch_libdir=/lib/x86_64-linux-gnu/ gramine-attestation.manifest.template gramine-attestation.manifest

Sign the manifest file:

gramine-sgx-sign --manifest gramine-attestation.manifest --output gramine-attestation.manifest.sgx

Run the app printing the SGX quote:

$ gramine-sgx ./gramine-attestation
Gramine is starting. Parsing TOML manifest file, this may take some time...
Detected attestation type: dcap
Successfully wrote zeros to user_report_data
Extracted SGX quote with size = 4734 and the following fields:
quote: 030002000000000009000e00939a7233f79c4ca9940a0db3957f060712ce6af1e4a81e0ecdac427b99bb0295000000000b0b100fffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000000000000e7000000000000001a818f25391de5c4939ff933175153ade954b3e31ce0b454829086c7b7f689560000000000000000000000000000000000000000000000000000000000000000669b80648c2d9c97f32263fa1961f95f83818682d6359758221f0e7acb9584c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ca100000c414afa96f0801ab4268bd6204e25fdca111115ca48862bfa384a55dbc57ce7bb8b7808d56a8c8321a9a264813c3af067ea3c6098642451182cb5daf3021be2098dcbff3d66af81d0004ae624e8d922da31c4aefc2a85d0723f38997563ea5449dcbf7d4d351b171625415fde6f443ea3e56d099fa62cc77553f80f18a054ba70b0b100fffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001500000000000000e700000000000000192aa50ce1c0cef03ccf89e7b5b16b0d7978f5c2b1edcf774d87702e8154d8bf00000000000000000000000000000000000000000000000000000000000000008c4f5775d796503e96137f77c68a829a0056ac8ded70140b081b094490c57bff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000915aca8fa4e14365a753fc034261f5d8b2a4e75c83c6ffb90316a11ba6df1b5500000000000000000000000000000000000000000000000000000000000000005855b05b5adf5a32c5cfe44735967e5b40926f548fedb1c95967300cbbcc1e5f47b34f07454af3d8718d165a0f6e138322473ba9808c69f14327d91aab5ef8bb2000000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f0500620e00002d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945387a4343424a6d674177494241674956414c7a2b6a596a7863582b664a6f6d415562434a71676966496f6c364d416f4743437147534d343942414d430a4d484178496a416742674e5642414d4d47556c756447567349464e4857434251513073675547786864475a76636d306751304578476a415942674e5642416f4d0a45556c756447567349454e76636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155450a4341774351304578437a414a42674e5642415954416c56544d4234584454497a4d4467794f4445784d544d774e566f5844544d774d4467794f4445784d544d770a4e566f77634445694d434147413155454177775a535735305a5777675530645949464244537942445a584a3061575a70593246305a5445614d426747413155450a43677752535735305a577767513239796347397959585270623234784644415342674e564241634d43314e68626e526849454e7359584a684d517377435159440a5651514944414a445154454c4d416b474131554542684d4356564d775754415442676371686b6a4f5051494242676771686b6a4f50514d4242774e43414151790a734153725336726b656a31344866314a537075504f314e445556797a5842437670316834324631305555304146555767315934386f6542673774764e355832490a54474542357a48426a7a6a76396b755779556a556f344944446a434341776f77487759445652306a42426777466f41556c5739647a62306234656c4153636e550a3944504f4156634c336c5177617759445652306642475177596a42676f46366758495a616148523063484d364c79396863476b7564484a316333526c5a484e6c0a636e5a705932567a4c6d6c75644756734c6d4e766253397a5a3367765932567964476c6d61574e6864476c76626939324e4339775932746a636d772f593245390a6347786864475a76636d306d5a57356a62325270626d63395a4756794d42304741315564446751574242525456365a6c7a31764a6b5953666b4a6a384e69667a0a716761775744414f42674e56485138424166384542414d434273417744415944565230544151482f4241497741444343416a734743537147534962345451454e0a41515343416977776767496f4d42344743697147534962345451454e4151454545503547726745637a6f704e626f4d3073493062744145776767466c42676f710a686b69472b453042445145434d4949425654415142677371686b69472b4530424451454341514942437a415142677371686b69472b45304244514543416749420a437a415142677371686b69472b4530424451454341774942417a415142677371686b69472b4530424451454342414942417a415242677371686b69472b4530420a4451454342514943415038774551594c4b6f5a496876684e41513042416759434167442f4d42414743797147534962345451454e41514948416745414d4241470a43797147534962345451454e415149494tu@VM-0-6-ubuntu:" 16:35 29-Sep-2316745414d42414743797147534962345451454e4151494a416745414d42414743797147534962345451454e4151494b0a416745414d42414743797147534962345451454e4151494c416745414d42414743797147534962345451454e4151494d416745414d42414743797147534962340a5451454e4151494e416745414d42414743797147534962345451454e4151494f416745414d42414743797147534962345451454e41514950416745414d4241470a43797147534962345451454e41514951416745414d42414743797147534962345451454e415149524167454e4d42384743797147534962345451454e415149530a4242414c43774d442f2f38414141414141414141414141414d42414743697147534962345451454e41514d45416741414d42514743697147534962345451454e0a4151514542674267616741414144415042676f71686b69472b45304244514546436745424d42344743697147534962345451454e415159454545574a7a4f76790a5a45384b336b6a2f48685845612f73775241594b4b6f5a496876684e41513042427a41324d42414743797147534962345451454e415163424151482f4d4241470a43797147534962345451454e415163434151482f4d42414743797147534962345451454e415163444151482f4d416f4743437147534d343942414d43413067410a4d45554349427133767832444e616d5142466d55644d652b6d5059454375383458676f4643674977534a5634634a61544169454134337037747277423830732b0a32697761686d4464416e434d774a56504c69534575774451463856456753773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949436c6a4343416a32674177494241674956414a567658633239472b487051456e4a3150517a7a674658433935554d416f4743437147534d343942414d430a4d476778476a415942674e5642414d4d45556c756447567349464e48574342536232393049454e424d526f77474159445651514b4442464a626e526c624342440a62334a7762334a6864476c76626a45554d424947413155454277774c553246756447456751327868636d4578437a414a42674e564241674d416b4e424d5173770a435159445651514745774a56557a4165467730784f4441314d6a45784d4455774d5442614677307a4d7a41314d6a45784d4455774d5442614d484178496a41670a42674e5642414d4d47556c756447567349464e4857434251513073675547786864475a76636d306751304578476a415942674e5642416f4d45556c75644756730a49454e76636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b474131554543417743513045780a437a414a42674e5642415954416c56544d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a304441516344516741454e53422f377432316c58534f0a3243757a7078773734654a423732457944476757357258437478327456544c7136684b6b367a2b5569525a436e71523770734f766771466553786c6d546c4a6c0a65546d693257597a33714f42757a43427544416642674e5648534d4547444157674251695a517a575770303069664f44744a5653763141624f536347724442530a42674e5648523845537a424a4d45656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958526c63793530636e567a6447566b633256790a646d6c6a5a584d75615735305a577775593239744c306c756447567355306459556d397664454e424c6d526c636a416442674e5648513445466751556c5739640a7a62306234656c4153636e553944504f4156634c336c517744675944565230504151482f42415144416745474d42494741315564457745422f7751494d4159420a4166384341514177436759494b6f5a497a6a30454177494452774177524149675873566b6930772b6936565947573355462f32327561586530594a446a3155650a6e412b546a44316169356343494359623153416d4435786b66545670766f34556f79695359787244574c6d5552344349394e4b7966504e2b0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949436a7a4343416a53674177494241674955496d554d316c71644e496e7a6737535655723951477a6b6e42717777436759494b6f5a497a6a3045417749770a614445614d4267474131554541777752535735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c756447567349454e760a636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155454341774351304578437a414a0a42674e5642415954416c56544d423458445445344d4455794d5445774e4455784d466f58445451354d54497a4d54497a4e546b314f566f77614445614d4267470a4131554541777752535735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c756447567349454e76636e4276636d46300a615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155454341774351304578437a414a42674e56424159540a416c56544d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a3044415163445167414543366e45774d4449595a4f6a2f69505773437a61454b69370a314f694f534c52466857476a626e42564a66566e6b59347533496a6b4459594c304d784f346d717379596a6c42616c54565978465032734a424b357a6c4b4f420a757a43427544416642674e5648534d4547444157674251695a517a575770303069664f44744a5653763141624f5363477244425342674e5648523845537a424a0a4d45656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958526c63793530636e567a6447566b63325679646d6c6a5a584d75615735300a5a577775593239744c306c756447567355306459556d397664454e424c6d526c636a416442674e564851344546675155496d554d316c71644e496e7a673753560a55723951477a6b6e4271777744675944565230504151482f42415144416745474d42494741315564457745422f7751494d4159424166384341514577436759490a4b6f5a497a6a3045417749445351417752674968414f572f35516b522b533943695344634e6f6f774c7550524c735747662f59693747535839344267775477670a41694541344a306c72486f4d732b586f356f2f7358364f39515778485241765a55474f6452513763767152586171493d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a00
  ATTRIBUTES.FLAGS: 0500000000000000  [ Debug bit: false ]
  ATTRIBUTES.XFRM:  e700000000000000
  MRENCLAVE:        1a818f25391de5c4939ff933175153ade954b3e31ce0b454829086c7b7f68956
  MRSIGNER:         669b80648c2d9c97f32263fa1961f95f83818682d6359758221f0e7acb9584c0
  ISVPRODID:        0000
  ISVSVN:           0000
  REPORTDATA:       0000000000000000000000000000000000000000000000000000000000000000
                    0000000000000000000000000000000000000000000000000000000000000000

BTW, the demo above was inspired by the Gramine sample code: https://github.com/gramineproject/gramine/blob/master/CI-Examples/python/scripts/sgx-quote.py I just reimplemented it in Rust.

BTW2, quote from your docs:

Gramine does not provide any pseudo-files under /dev/attestation for verification of the attestation quote. Instead, the remote user is encouraged to use the quote_dump, ias_request and verify_ias_report tools shipped together with Gramine (for EPID based quote verification) or to use the Intel DCAP libraries and tools (for DCAP based quote verification).

but still seeking your help with that :)

[dimakuv]

I'm unsure what exactly you want to do in your use case.

But generally you would want to use the Intel DCAP libraries. Gramine uses them like this, if you're interested in the source code:

gramine/tools/sgx/ra-tls/ra_tls_verify_dcap.c

Lines 126 to 260 in a60dcf7

	/* extract SGX quote from "quote" OID extension from crt */
	sgx_quote_t* quote;
	size_t quote_size;
	ret = extract_quote_and_verify_pubkey(crt, &quote, &quote_size);
	if (ret < 0) {
	ERROR("extract_quote_and_verify_pubkey failed: %d\n", ret);
	goto out;
	}
	if (results)
	results->err_loc = AT_VERIFY_EXTERNAL;
	/* prepare user-supplied verification parameters "allow outdated TCB", etc. */
	bool allow_outdated_tcb = getenv_allow_outdated_tcb();
	bool allow_hw_config_needed = getenv_allow_hw_config_needed();
	bool allow_sw_hardening_needed = getenv_allow_sw_hardening_needed();
	bool allow_debug_enclave = getenv_allow_debug_enclave();
	/* call into libsgx_dcap_quoteverify to get supplemental data size */
	ret = sgx_qv_get_quote_supplemental_data_size(&supplemental_data_size);
	if (ret) {
	ERROR("sgx_qv_get_quote_supplemental_data_size failed: %d\n", ret);
	ret = MBEDTLS_ERR_X509_FATAL_ERROR;
	goto out;
	}
	supplemental_data = (uint8_t*)malloc(supplemental_data_size);
	if (!supplemental_data) {
	ret = MBEDTLS_ERR_X509_ALLOC_FAILED;
	goto out;
	}
	time_t current_time = time(NULL);
	if (current_time == ((time_t)-1)) {
	ret = MBEDTLS_ERR_X509_FATAL_ERROR;
	goto out;
	}
	uint32_t collateral_expiration_status = 1;
	sgx_ql_qv_result_t verification_result = SGX_QL_QV_RESULT_UNSPECIFIED;
	/* call into libsgx_dcap_quoteverify to verify ECDSA-based SGX quote */
	ret = sgx_qv_verify_quote((uint8_t*)quote, (uint32_t)quote_size, /*p_quote_collateral=*/NULL,
	current_time, &collateral_expiration_status, &verification_result,
	/*p_qve_report_info=*/NULL, supplemental_data_size,
	supplemental_data);
	if (results) {
	results->dcap.func_verify_quote_result = ret;
	results->dcap.quote_verification_result = verification_result;
	}
	if (ret) {
	ERROR("sgx_qv_verify_quote failed: %d\n", ret);
	ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	goto out;
	}
	switch (verification_result) {
	case SGX_QL_QV_RESULT_OK:
	ret = 0;
	if (collateral_expiration_status != 0) {
	INFO("WARNING: The collateral is out of date.\n");
	if (!allow_outdated_tcb)
	ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	}
	break;
	case SGX_QL_QV_RESULT_CONFIG_NEEDED:
	ret = allow_hw_config_needed ? 0 : MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	case SGX_QL_QV_RESULT_OUT_OF_DATE:
	ret = allow_outdated_tcb ? 0 : MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	case SGX_QL_QV_RESULT_OUT_OF_DATE_CONFIG_NEEDED:
	ret = allow_outdated_tcb
	? (allow_hw_config_needed ? 0 : MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
	: MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	case SGX_QL_QV_RESULT_SW_HARDENING_NEEDED:
	ret = allow_sw_hardening_needed ? 0 : MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	case SGX_QL_QV_RESULT_CONFIG_AND_SW_HARDENING_NEEDED:
	ret = allow_hw_config_needed
	? (allow_sw_hardening_needed ? 0 : MBEDTLS_ERR_X509_CERT_VERIFY_FAILED)
	: MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	case SGX_QL_QV_RESULT_INVALID_SIGNATURE:
	case SGX_QL_QV_RESULT_REVOKED:
	case SGX_QL_QV_RESULT_UNSPECIFIED:
	default:
	ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	break;
	}
	if (ret < 0) {
	if (verification_result == SGX_QL_QV_RESULT_OK) {
	assert(collateral_expiration_status != 0 && !allow_outdated_tcb);
	ERROR("Quote: verification failed because collateral is out of date\n");
	} else {
	ERROR("Quote: verification failed with error %s\n",
	sgx_ql_qv_result_to_str(verification_result));
	}
	goto out;
	}
	if (verification_result != SGX_QL_QV_RESULT_OK) {
	INFO("Allowing quote status %s\n", sgx_ql_qv_result_to_str(verification_result));
	}
	if (results)
	results->err_loc = AT_VERIFY_ENCLAVE_ATTRS;
	sgx_quote_body_t* quote_body = &quote->body;
	/* verify enclave attributes from the SGX quote body */
	ret = verify_quote_body_enclave_attributes(quote_body, allow_debug_enclave);
	if (ret < 0) {
	ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	goto out;
	}
	if (results)
	results->err_loc = AT_VERIFY_ENCLAVE_MEASUREMENTS;
	/* verify other relevant enclave information from the SGX quote */
	if (g_verify_measurements_cb) {
	/* use user-supplied callback to verify measurements */
	ret = g_verify_measurements_cb((const char*)&quote_body->report_body.mr_enclave,
	(const char*)&quote_body->report_body.mr_signer,
	(const char*)&quote_body->report_body.isv_prod_id,
	(const char*)&quote_body->report_body.isv_svn);
	} else {
	/* use default logic to verify measurements */
	ret = verify_quote_body_against_envvar_measurements(quote_body);
	}
	if (ret < 0) {
	ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
	goto out;
	}

The two important Intel DCAP libraries APIs are:

• sgx_qv_get_quote_supplemental_data_size()
• sgx_qv_verify_quote()

You can check their documentation if you want to know more: https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf

The Intel DCAP library is called libsgx_dcap_quoteverify.so, see Gramine build code:

gramine/meson.build

Line 257 in a60dcf7

sgx_dcap_quoteverify_dep = cc.find_library('sgx_dcap_quoteverify')

IIRC, this DCAP library is part of the libsgx-dcap-quote-verify package (e.g. for Ubuntu).

[pbeza]

Thank you for precisely pinpointing the code responsible for the quote verification in the RA-TLS protocol. implementation. That's very helpful!

I'm unsure what exactly you want to do in your use case.

I just want to verify the quote (whatever that precisely means under the hood) to make sure I'm talking to the legitimate enclave that is running the code I expect it to run. What do I need to do to verify that (assuming I want to use that low level API with /dev/attestation/quote instead of using RA-TLS that abstracts that away)?

I think I need to better understand how this works under the hood, as I assumed it all ultimately came down to checking the ECDSA signature. At least that's how I understood it after reading https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation#platform-provisioning - specifically this part:

(...) The QUOTE can then be verified by a remote party using the corresponding public key. (...)

However, I expect there may be more to it, as there is more to the SGX quote structure than just a signature.

BTW, can you please clarify if that quote structure:

gramine/tools/sgx/ra-tls/ra_tls_verify_dcap.c

Line 127 in a60dcf7

sgx_quote_t* quote;

can be constructed from the string I'm printing in here:
https://github.com/pbeza/gramine-attestation-demo/blob/3a6e959f2a8c6ff8041ab9bd3b6f25b77cd71259/src/main.rs#L33
? Is it essentially the same thing?

[dimakuv]

I'm unsure what exactly you want to do in your use case.
I just want to verify the quote (whatever that precisely means under the hood) to make sure I'm talking to the legitimate enclave that is running the code I expect it to run. What do I need to do to verify that (assuming I want to use that low level API with /dev/attestation/quote instead of using RA-TLS that abstracts that away)?

(Sorry if my reply may be a bit unclear, I'm writing off the top of my head. Some things may be slightly wrong or with wrong terminology. Please ask if something is unclear.)

Broadly speaking, there are two things we want to know as part of attestation:

1. Is the entity (the attester) that sent the attestation evidence genuine (genuine TEE vouched for by a company)?
2. Is the application (code and data) inside this entity genuine (what the verifier/user expects)?

Applying this to the Intel SGX terminology, we map these two things like this:

1. Is the SGX-enabled platform -- on which the SGX enclave that sent the SGX quote runs -- genuine (genuine Intel CPU, with an attached chain of certificates rooted at Intel)?
2. Is the application running inside the SGX enclave contains the code and data of your simple demo?

RA-TLS abstracts away these two verifications, leaving only a bunch of environment variables (and a C callback if required) tweakable by the user of RA-TLS. You can of course build your own verifier instead of RA-TLS.

So, at the programming level, the two above things map like this:

1. Verifying the SGX platform is done via the Intel DCAP libraries (more specifically, via libsgx_dcap_quoteverify.so). Simply call the two APIs of this library in your code, supplying to them the SGX quote as the input. This should be very similar to how RA-TLS code does it. The Intel DCAP libraries -- and the software infrastructure that comes with them and is supposed to be deployed by you or your cloud/datacenter provider -- will do the actual verification.
2. Verifying the application (the SGX enclave measurements) is done by RA-TLS in several steps:
   a. Verify that the SGX quote's report_data field contains the hash of the public key of the RA-TLS X.509 certificate (this step is specific to RA-TLS and how it ties to the SSL/TLS session; this may be omitted in your particular scenario, but be careful with security ramifications).
   b. Verify enclave attributes in the SGX quote (in particular, the DEBUG attribute).
   c. Verify enclave measurements in the SGX quote (MRENCLAVE, MRSIGNER, ...).

This should be all the steps required for SGX quote verification.

I think I need to better understand how this works under the hood, as I assumed it all ultimately came down to checking the ECDSA signature. At least that's how I understood it after reading https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation#platform-provisioning - specifically this part:

(...) The QUOTE can then be verified by a remote party using the corresponding public key. (...)

However, I expect there may be more to it, as there is more to the SGX quote structure than just a signature.

Yes, that's why Gramine (and RA-TLS) outsources this verification part to the Intel DCAP libraries -- the exact verification steps are quite complicated. For example, the DCAP SGX quote actually embeds the whole certificate chain rooted at Intel PCS (or well, at least that's the case in my deployments).

BTW, can you please clarify if that quote structure:

gramine/tools/sgx/ra-tls/ra_tls_verify_dcap.c

Line 127 in a60dcf7

sgx_quote_t* quote;

can be constructed from the string I'm printing in here:
https://github.com/pbeza/gramine-attestation-demo/blob/3a6e959f2a8c6ff8041ab9bd3b6f25b77cd71259/src/main.rs#L33
? Is it essentially the same thing?

Yes, it is the same thing.

[adaki2004]

Hey @dimakuv,

I work with Patryk but on different field - basically what i'll try to do is, to verify the 'sgx proof' on-chain - via Solidity so therefore i'd like to ask some high-level questions.

What i'm thinking is, to do the remote attestation verification off-chain, and once it is verified, then the sgx instance shall be identified by it's ECDSA pub. key (-> ethereum address).

In my understanding, attestation is basically proving the identity (and trustworthiness of a machine) to a verifier. -> This can be done by diff. ways, but only need to be done at setup (with this proposed solution of mine) ?
Afterwards we can trust a specific 'id' (in our case theECDSA pub. key) since only the given machine can control it.

So something, high-level like:

B: Hey Verifier! I'm Bob, and please see my proof / attestation report / evidence and please see me identified by my 0x123 Ethereum address.
A: Hey Bob! I'm Alice, and i checked your proofs, it is valid. I identify you within my system with your 0x123 Ethereum address.

OR

Attestation necessary each and every time there is a new computation ?

If former then i'd just not do attestation verification on-chain, simply done once at setup, if latter (maybe because that instance can make itself 'malicious' on the go(?if this is possible?)), then yes, we need to figure out something.

[dimakuv]

Dear @adaki2004,

Yes, your understanding is correct, and your explanations look good to me.

Just don't forget that you must tie the ECDSA pub key to the identity of the SGX enclave, as reported by the SGX quote. In other words, the SGX quote must bare some evidence that it was indeed generated in the SGX enclave that runs with this particular ECDSA pub key.

In RA-TLS (and it's the main feature of RA-TLS), we bind the SGX quote with the ephemeral keypair created inside of the SGX enclave that is used to sign a self-signed X.509 certificate. The diagram shows how it is done: https://gramine.readthedocs.io/en/stable/attestation.html#mid-level-ra-tls-interface

If you haven't yet, also read our RA-TLS whitepaper: https://arxiv.org/abs/1801.05863

(Gramine and RA-TLS are not unique in this solution. In fact, all SGX frameworks/runtimes use a variation of this scheme.)

In my understanding, attestation is basically proving the identity (and trustworthiness of a machine) to a verifier. -> This can be done by diff. ways, but only need to be done at setup (with this proposed solution of mine) ?

There is another catch which is the SGX-attestation validity period. Imagine that your SGX enclave runs for several weeks non-stop. If you generated only one ECDSA key, and use its public part for authentication for several weeks, then the SGX enclave (or the underlying hardware) could be hi-jacked, secrets -- including the private ECDSA key -- could be stolen, and the SGX enclave is compromised.

So typically people also add a rather-small validity period for the attestation token (in your case, the attestation token = ECDSA pub key). For example, Microsoft Azure Attestation sets this period to 8 hours: https://learn.microsoft.com/en-us/azure/attestation/faq#how-long-is-an-attestation-token-valid-

TLDR: Your approach looks correct, but be aware of the aforementioned caveats.

[pbeza]

Just don't forget that you must tie the ECDSA pub key to the identity of the SGX enclave, as reported by the SGX quote. In other words, the SGX quote must bare some evidence that it was indeed generated in the SGX enclave that runs with this particular ECDSA pub key.

@dimakuv What's the best way to tie the ECDSA pub key to the identity of the SGX enclave, as reported by the SGX quote? Is putting the public key in REPORTDATA a way to go?

[dimakuv]

What's the best way to tie the ECDSA pub key to the identity of the SGX enclave, as reported by the SGX quote? Is putting the public key in REPORTDATA a way to go?

Yes. In fact that's what all SGX projects/frameworks do that I've seen.

See our diagram here: https://gramine.readthedocs.io/en/stable/attestation.html#mid-level-ra-tls-interface. Check out the SGX Quote -> SGX Report -> REPORTDATA = hash(public key) on the diagram.

Also, you can read Intel's whitepaper on this: https://github.com/cloud-security-research/sgx-ra-tls/blob/master/whitepaper.pdf

[adaki2004]

Dear @dimakuv,
Thank you very much for your reply.

There is another catch which is the SGX-attestation validity period. Imagine that your SGX enclave runs for several weeks non-stop. If you generated only one ECDSA key, and use its public part for authentication for several weeks, then the SGX enclave (or the underlying hardware) could be hi-jacked, secrets -- including the private ECDSA key -- could be stolen, and the SGX enclave is compromised.

So typically people also add a rather-small validity period for the attestation token (in your case, the attestation token = ECDSA pub key). For example, Microsoft Azure Attestation sets this period to 8 hours: https://learn.microsoft.com/en-us/azure/attestation/faq#how-long-is-an-attestation-token-valid-

TLDR: Your approach looks correct, but be aware of the aforementioned caveats.

Regarding this, our initial plan is/was to always use another ECDSA key for signing the data to avoid side-channel attacks.

So like this:
Need to keep track of 1 ACTIVE public/priv key pair until it is not used. When there is a request to provide with an SGX proof (signature) we generate a new (which will be set as active) pair. The newly generated pub. key is also signed within that proof so we can be sure it is coming from the trusted source.
So basically TLDR:
You always have 1 active (unused) pair. Once a proof is requested:

1. Generate a new pair
2. Sign data with the currently active one
3. Make the new one the active one.. (throw away the old)

Would it work without expiry then ? Or we shall take other extra measures ?

[dimakuv]

When there is a request to provide with an SGX proof (signature) we generate a new (which will be set as active) pair.

I'm unclear on this part. Didn't you want to avoid re-generating the SGX proof/ECDSA key on every request?

Or you have two types of requests: the off-chain attestation-validation requests and the on-chain computation requests? (Sorry, I have no idea what all this stuff is :))

If you do have these two types of requests, and you will re-generate the SGX proof (quote) and the ECDSA key on only the first types of requests (and not on the second ones), then yes, your scheme works.

Again, the requests to provide the SGX proof should happen frequently enough. They can't happen once in a month.

[adaki2004]

I'm unclear on this part. Didn't you want to avoid re-generating the SGX proof/ECDSA key on every request?

No, in (my :) ) term SGX proof is a signature. We need this quite frequently.

So how the instance works: it does some 'in house' computations, and will sign the outcome of this computation with it's active ECDSA private key.

Or you have two types of requests: the off-chain attestation-validation requests and the on-chain computation requests? (Sorry, I have no idea what all this stuff is :))

Basically, yes!

1. The first one is to be sure the machine is 'trusted'. (That is the off-chain attestation-validation.. maybe on-chain later in the future) So that we can register this machine as a 'trusted source'.
2. The second one consists of an off-chain (within the instance ) computation (of blockchain transactions) which then outputs some data which will be signed with active ECDSA private key.

And the verification of that 2nd outcome (signed data) happens on-chain. And as you suggested, throwing away the old ECDSA key pair, and using a new one by design, to avoid attack vectors.

I do not know the exact frequency but it shall happen more frequently than once a month. Is it a working concept against (most possible or all) attack vectors ? Shall we still count on attestation expiry in this case as well ? (Given the known fact that we can be sure that only this instance can sign and generate a new ECDSA key-pair, so the fact itself can give us trust.. OR anyways, we need to keep expiry in our mind ?)

[dimakuv]

I do not know the exact frequency but it shall happen more frequently than once a month. Is it a working concept against (most possible or all) attack vectors ? Shall we still count on attestation expiry in this case as well ?

It's up to you honestly. I would at least have some hard requirement that the frequency of regenerating the ECDSA keypair is capped at X. For example, at least once a week such an attestation-validation request will be sent, so the validity period of your ECDSA pubkey is capped at 7 days.

The validity periods themselves vary wildly. Check what validity periods X.509 certificates have these days, this will give you a rough idea what people consider a "safe enough" period of time.

[pbeza]

@dimakuv, do you perhaps have some minimal example of RA-TLS implemented in Rust (instead of C)? If not, I will try to implement it myself.

[dimakuv]

@dimakuv, do you perhaps have some minimal example of RA-TLS implemented in Rust (instead of C)? If not, I will try to implement it myself.

No, we don't have such an example.