Remote Attestation
Overview
Remote attestation enables an enclave to remotely attest its identity to another entity, which can be another enclave or a non-enclave. Remote attestation mechanisms are strictly stronger than local attestation mechanisms because they use an external authority (usually a certificate authority) as the root of trust rather than a machine-local root of trust, such as a symmetric secret.
Asylo currently supports two mechanisms for remote attestation for Intel SGX.
SGX Remote Attestation
Quoting Enclaves
SGX remote attestation is enabled by a quoting enclave. A quoting enclave is an enclave that produces quotes, or remote attestations, on behalf of enclaves running on the same machine. A quoting enclave is certified by one or more certificate authorities. This enables the quoting enclave to produce quotes that chain back to a trusted authority.
A quoting enclave can be certified by Intel by having its hardware REPORT signed by the Provisioning Certification Key (PCK). The PCK is a signing key wielded by the Provisioning Certification Enclave (PCE), a special enclave written, signed, and distributed by Intel. Intel issues PCK certificates chaining back to the Intel SGX Root CA, the root of the Intel SGX PKI.
Remote attestation is built on top of local attestation: a quoting enclave uses SGX local attestation to verify another enclave’s identity before signing a statement about that enclave’s identity. This same mechanism is used by the PCE to certify an quoting enclave.
Asylo supports two different quoting enclaves: the Intel ECDSA Quoting Enclave and the Asylo Assertion Generator Enclave.
Intel ECDSA Quoting Enclave
The Intel ECDSA Quoting Enclave is a quoting enclave written, signed, and distributed by Intel. The QE is written using the Intel SGX SDK and, consequently, has a smaller Trusted Computing Base (TCB) than a quoting enclave written using Asylo.
When to Use it
The Intel ECDSA QE is recommended for Asylo applications that require a minimal TCB. Additionally, if using older SGX hardware with limited EPC, the Intel ECDSA QE is recommended because it allows loading on-demand.
How to Use it
NOTE: This requires running on an Intel CPU that supports SGX with Flexible Launch Control (FLC).
Asylo provides the
asylo::SgxIntelEcdsaQeRemoteAssertionGenerator
and
asylo::SgxIntelEcdsaQeRemoteAssertionVerifier
classes that assist in generating and verifying attestations produced by the
Intel ECDSA QE.
Asylo does not currently support using Intel QE-generated attestations as a gRPC authentication mechanism.
You can download Intel’s architectural enclaves (the QE and the PCE) from Intel’s website. This process is streamlined with the following commands:
DCAP_VERSION="1.6" # Replace with the most up-to-date version available.
INTEL_ENCLAVES_PATH="/opt/intel_enclaves/${DCAP_VERSION}"
mkdir -p "${INTEL_ENCLAVES_PATH}"
curl -SL "https://download.01.org/intel-sgx/sgx-dcap/${DCAP_VERSION}/linux/prebuilt_dcap_${DCAP_VERSION}.tar.gz" \
| tar -xvz --strip=5 -C "${INTEL_ENCLAVES_PATH}"
Asylo Assertion Generator Enclave
The Assertion Generator Enclave (AGE) is a quoting enclave that is part of the Asylo framework. It is written using the Asylo framework and, consequently, has a larger Trusted Computing Base (TCB) than the Intel QE. The AGE TCB notably includes:
The AGE runs a long-lived gRPC attestation server. An enclave can make an RPC to this service to obtain an attestation. Due to running an RPC server, the AGE must be run as a long-lived process (like a system daemon). See instructions below for how to run it.
The AGE defines various entry-points for key and certificate management using the Asylo API.
This includes support for co-certification: Asylo users can extend the AGE’s logic to allow for custom certification logic.
When to Use it
The AGE is recommended for any Asylo applications that make use of Asylo’s gRPC authentication mechanism (and therefore already take a dependency on gRPC), as well as for users that want to manage their own SGX PKI.
How to Use it
The primary use of AGE-based attestation is in establishing secure gRPC connections.
However, Asylo also provides
asylo::SgxAgeRemoteAssertionGenerator
and
asylo::SgxAgeRemoteAssertionVerifier
classes that can be used to generate and verify attestations by the AGE for uses
outside of gRPC authentication.
In either usage scenario, users must run the AGE alongside their Asylo
application. Asylo provides a binary age_main
that runs the AGE and allows
users to interact with its various entry-points. This can be run in either
production mode on real SGX hardware or in “fake” mode using SGX-simulation.
SGX Hardware
NOTE: This requires running on an Intel CPU that supports SGX with Flexible Launch Control (FLC).
First, download Intel’s architectural enclaves from
Intel’s website. This is
streamlined with the following commands (Note: only the libsgx_pce.signed.so
file is needed):
DCAP_VERSION="1.6" # Replace with the most up-to-date version available.
INTEL_ENCLAVES_PATH="/opt/intel_enclaves/${DCAP_VERSION}"
mkdir -p "${INTEL_ENCLAVES_PATH}"
curl -sL "https://download.01.org/intel-sgx/sgx-dcap/${DCAP_VERSION}/linux/prebuilt_dcap_${DCAP_VERSION}.tar.gz" \
| tar -xvz --strip=5 -C "${INTEL_ENCLAVES_PATH}"
Next, fetch a PCK certificate and issuer certificate chain for the target machine. Asylo does not currently provide any tooling for this. Users are referred to Intel’s PCK Certificate Retrieval Tool distributed with Intel SGX DCAP. Also see Intel’s documentation about provisioning an SGX platform with PCK certificates.
The certificate chain should be formatted as an
asylo::CertificateChain
.
Save the PCK certificate chain to a file, then set the environment variable
${PCK_CERTIFICATE_CHAIN}
to that file’s fully qualified path.
An example certificate chain textproto to store in that file:
# proto-message: CertificateChain
certificates: {
format: X509_PEM
data: "-----BEGIN CERTIFICATE-----\n"
"..<certificate_data>..\n"
"-----END CERTIFICATE-----"
}
certificates: {
format: X509_PEM
data: "-----BEGIN CERTIFICATE-----\n"
"..<certificate_data>..\n"
"-----END CERTIFICATE-----"
}
Then, build the AGE:
bazel build --define="SGX_SIM=0" //asylo/identity/attestation/sgx/internal:remote_assertion_generator_enclave_sgx_hw.so
Set the environment variable ${AGE_PATH}
to the AGE binary’s fully qualified
path.
AGE_PATH=/path/to/age/binary
Finally, run the AGE:
bazel run //asylo/identity/attestation/sgx:age_main -- \
--start_age \
--age_path="${AGE_PATH}" \
--issuer_certificate_chain="${PCK_CERTIFICATE_CHAIN}" \
--intel_enclaves_path="${INTEL_ENCLAVES_PATH}" \
SGX Simulation
WARNING: This mode runs the AGE as an SGX-simulation enclave and uses a software-simulated PCE. Consequently, attestations produced in this mode will not be rooted in the Intel SGX PKI. This mode is suitable for testing attestation with Asylo applications.
First, build the AGE:
bazel build --define="SGX_SIM=1" //asylo/identity/attestation/sgx/internal:remote_assertion_generator_enclave_sgx_sim.so
Set the environment variable ${AGE_PATH}
to the AGE binary’s fully qualified
path.
AGE_PATH=/path/to/age/binary
Then, run the AGE:
bazel run //asylo/identity/attestation/sgx:age_main -- \
--start_age \
--use_fake_pce \
--age_path="${AGE_PATH}"