Comments (3)
dmwheel1
commented on July 16, 2024
For SGX, and for other Intel TEEs, the Attestation Key is generally restricted, so you cannot sign "anything".
Typically the way this works (for Intel) is you get a signed attestation that includes a 256-bit or 512-bit value. This value could be a random nonce sent from the remote verifier, or it can be a hash of another structure "attached" to the attestation. In the case of a hashed structure, the verifier then must interpret the structure. The implication is that the attestation gives you data on the claimant, and the claimant provides the additional data. If the verifier believes it can trust the claimant based on the attestation, then it should be able to make some policy decision on the additional claims.
For TEEP running in SGX, the provided attestation would be an additional structure, which would be hashed, and then this hash would be signed in an attestation which would provide details of the SGX enclave code that requested the attestation (things like enclave-signer, hash-of-enclave-code, enclave-version-number, CPU-microcode-version, etc.) The verifier (TAM in this case) would need to validate the SGX Attestation, and then interpret the attached structure.
Hope this is clear enough.
from architecture.
dmwheel1
commented on July 16, 2024
See new Pull Request to address this issue
from architecture.
dthaler
commented on July 16, 2024
Filed a separate issue to track impact on the OTrP spec.
from architecture.
Related Issues (20)
- [Hackathon] How does Agent get unneeded TA list HOT 2
- Obsolete paragraph in intro HOT 1
- Do we want an "applicability statement"? HOT 1
- TEE OS HOT 2
- Indicate the possibility to terminate TLS in the TEE HOT 2
- Figure 4 - Improve readability HOT 1
- Clarification regarding Data Protection HOT 4
- wordsmithing on description of protections for personalization data HOT 4
- Insufficient description for compromised TAM HOT 1
- Intdir review comment: device user in complete sentence
- intdir review comment: TEEP diagram label consistency HOT 1
- Intdir comments: TAM trust by public key elaboration with constraints HOT 1
- Intdir Review comments: TEEP broker triggering and frequency to TAM calls
- Paul Kyzivat GENART review HOT 1
- Russ Housley ARTART review HOT 1
- Ines Robles IOTDIR review HOT 5
- Benjamin M. Schwartz SECDIR review HOT 7
- Lars Eggert GEN-AD Review HOT 4
- Robert Wilton Review Comments HOT 5
- Roman Danyliw Review Comments HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from architecture.