Intel® Software Guard Extensions (Intel® SGX) Services (DCAP/EPID)
基於英特爾® SGX DCAP 的鑒證
An update on 3rd Party Attestation
大型企業和服務提供商希望建立自己的認證能力。
DCAP需要一項Flexible Launch Control的功能,該功能允許平台所有者(而不是英特爾)控制啟動哪些enclave, 需要在BIOS中啟動。
這包括授予哪些區域訪問與證書檢索服務一起使用的平台配置標識符(PPID)的權限。 請求訪問PPID的區域可以由attestation服務提供商簽名。 Launch Enclave的目的之一是防止在隱私敏感的環境中濫用PPID。
構建證明服務需要與操作系統集成,並且我們正在與Linux Kernel社區合作,以盡快將其更新。 請注意,您不需要構建自己的Quoting Enclave。
Product brief Intel®SGX Data Center Attestation Primitives (Intel®SGX DCAP)
intel-sgx-support-for-third-party-attestation
SGX 擁有遠程和封印的能力,這可以用來provision 和 secure secrets. SGX 是指令集的擴展,用來再程序中建立一個可信的執行環境enclave。
enclave 創建不需要secrets. enclave實例化之后,可以再deliver secrets.
該流程,跟CA的流程類似, Intel相當於根CA,會給PCK證書簽名, PCK相當於二級代理, 給其他證明證書簽名。
5. example attestation infrastructures for Data Center or Cloud Deployments
5. 數據中心或雲部署的示例證明基礎架構
This chapter describes an example deployment flow for a Cloud Service Provider(CSP) to host an Attestation Service capable of verifying Quotes created by their platforms without an "runtime" connectivity to Intel SGX DCAP or other services. This flow, shown in Figure 4, combines collection of PPIDs, creation of Attestation keys, retrieving certificates/TCB information, and attestation verification.
本章介紹了雲服務提供商(CSP)托管證明服務的示例部署流程,該服務能夠驗證其平台創建的Quotes,而無需與英特爾SGX DCAP或其他服務進行“運行時”連接。如圖4所示,該流程結合了PPID(Platform provision ID)的收集,證明密鑰的創建,檢索證書/ TCB信息以及證明驗證。
5.1 Identifying Platforms
5.1 識別平台
During the deployment phase when the new platform is prepped, tested, and initial software loaded, the platform registers itself with the CSP's infrastructure.
The Quoting Enclave retrieves the encrypted PPID from the PCE, A software agent delivers the PPID, CPUSVNs and PCEID to a CSP-owned Inventory Management Service (IMS). The IMS can be a self-sufficient service or just a logical set of functions and databases that are part of larger, possibly pre-existing infrastructure. The IMS's role is track Intel SGX attestation identities and retrieve PCK certificates for the Attestation Service.
The Encrypted PPID is provided to the IMS to enable the service to identify the platform when requesting PCK certificates from intel. This only has to be collected once during deployment since the PPID remains constant for the lifetime of the platform.
Once registered, the platform then continues through deployment process.
在部署階段,准備,測試新平台並加載初始軟件時,該平台會在CSP的基礎架構中注冊自己。
Quoting Enclave 從PCE檢索加密的PPID,軟件代理將PPID,CPUSVN和PCEID傳遞給CSP擁有的庫存管理服務(IMS)。 IMS可以是自給自足的服務,也可以只是功能和數據庫的邏輯集,而功能和數據庫則是較大的,可能預先存在的基礎結構的一部分。 IMS的角色是跟蹤英特爾SGX證明身份並為證明服務檢索PCK證書。
加密的PPID提供給IMS,以使服務能夠在從英特爾請求PCK證書時識別平台。由於PPID在平台的生命周期內保持不變,因此在部署過程中只需收集一次。
注冊后,平台將繼續進行部署過程。
5.2 Acquiring PCK Certificates
5.2取得PCK證書
While the platform continues through deployment process, the Inventory Management Service uses an Internet gateway to the Intel DCAP services and requests the PCK certificates for each CSP-owned platform using the interface that retrieves both current and historic certificates for each platform. This provides the Attestation Service with multiple certificates for different TCBs, providing the greatest chance that the service will have an appropriate PCK certificate for whatever attestation software their customer installs in their environment.
在平台繼續進行部署過程的同時,庫存管理服務使用Internet網關訪問Intel DCAP服務,並使用接口檢索每個平台的當前和歷史證書,為每個CSP擁有的平台請求PCK證書。這為證明服務提供了針對不同TCB(Trusted Computing Base)的多個證書,從而為客戶在其環境中安裝的任何證明軟件提供了最大的機會,使該服務具有適當的PCK證書。
5.3 Certifying Attestation Keys
5.3認證密鑰
To ensure that PCE certifies the new Attestation Key with a PCK for which a certificate exists, it's recommended that before generating the attestation key, a software agent download the PCK certificate from the Inventory Management Service. The PCK certificate contains the CPUSVN value that corresponds to that PCK. After generating the Attestation key, the Quoting Enclave can specify this value when requesting the PCE to certify the Attestation public key.
為確保PCE用已存在證書的PCK認證新的證明密鑰,建議在生成證明密鑰之前,軟件代理從庫存管理服務下載PCK證書。 PCK證書包含與該PCK對應的CPUSVN值。生成證明密鑰后, Quoting Enclave可以在請求PCE認證證明公鑰時指定此值。
5.4 TCB Recovery
5.4 TCB恢復
After an Intel SGX TCB element is updated, the process for establishing a new attestation key depends on what type of element was updated.
if a Quoting Enclave was updated, the QE can simply be upgraded and a new attestation key can be generated and certified as described in Section 3.1.2.2. This may not require interaction with the attestation infrastructure.
if a CPU-related component, such as microcode updates or the PCE was updated, a new PCK is required for the PCE. When this occurs, in addition to the QE generating a new attestation key, the infrastructure must also acquire new PCK certificates, CRLs and TCB Info structures.
The CSP Inventory Service requests updated certificates for all CSP-owned platforms affected. If the inventory service maintains a database of encrypted PPIDs and model information for the CSP's platforms, it will have all the information necessary to request new certificates without any interaction with the platforms.
CSPs may choose to continue to use the previous Attestation Keys until all platforms are upgraded and all certificates are downloaded and provided to the CSP Attestation Service. This ensures that the Attestation Services will always have the material needed to verify a Quote and will never need to contact external services in real-time.
更新Intel SGX TCB元素后,建立新證明密鑰的過程取決於更新的元素類型。
如果更新了Quoting Enclave,則可以輕松升級QE,並可以生成新的證明密鑰,並按照第3.1.2.2節中的說明進行認證。這可能不需要與證明基礎結構進行交互。
如果與CPU相關的組件(例如微代碼更新或PCE已更新),則PCE需要新的PCK。發生這種情況時,除了QE會生成新的證明密鑰外,基礎架構還必須獲取新的PCK證書,CRL和TCB Info結構。
CSP清單服務為受影響的所有CSP擁有的平台請求更新的證書。如果清單服務維護了用於CSP平台的加密PPID和模型信息的數據庫,則它將具有請求新證書所需的所有信息,而無需與平台進行任何交互。
CSP可以選擇繼續使用以前的證明密鑰,直到升級所有平台並下載所有證書並將其提供給CSP證明服務為止。這樣可以確保證明服務始終具有核實報價所需的材料,並且永遠不需要實時聯系外部服務。
K8s support
目前demo提供的是DCAP
terminology
Attenstation 展示一個可執行的軟件在一個平台上被正確實例化的過程。