代码角度理解SGX的认证机制(四):SGX**相关
-
英特尔SGX认证涵盖了在安全区中运行的软件的身份(例如MRENCLAVE和MRSIGNER),不可测量的状态(例如安全区模式(例如,调试与生产),安全区要与其自身关联的其他数据( (例如,描述软件配置的清单),以及与平台TCB的密码绑定。 该信息被捆绑到称为报告的数据结构中。 利害关系方检查报告中包含的属性,以决定飞地的可信度。
-
**导出图示(具体素材请看:SGX Key Properties)
- Root Provisioning Key(RPK):由iKGF生成的key,intel和SGX共同保存。
- Root Sealing Key(RSK):由iKGF生成的key,仅SGX保存。
- Provisioning key:通过EGETKEY指令获取,入参包含RPK,用于intel认证SGX
- 通过Provisioning key,与intel配置服务认证完成后,enclave和IAS会通过the EPID scheme Join protocol生成一对非对称key,enclave保存着的私钥叫做attestation key,用attestation key 对report签名,然后转发到IAS做远程认证。IAS仅有加密的member key(可以认为是生成attestation key的一个素材)。详细参考the EPID scheme Join protocol
- Provisioning Seal key:通过EGETKEY指令获取,入参包含RSK,对attestation key加密,然后可以封存在外部环境。
- Report key:通过EGETKEY指令获取,入参包含RPK,MRENCLAVE ,attributes,所以同一SGX平台上的enclave可以获取的和对端enclave一样的report key(需要提供自己MRENCLAVE ,attributes参数);因此本地认证时候,一个enclave用MAC算法加密的report,可以被同一SGX上的另一个enclave 验证。
- Seal key:通过EGETKEY指令获取,入参包含RPK,MRSIGNER,可以在enclave外部封存秘密
-
Software Properties used in Key Derivation
|
Field |
Purpose |
|
MRENCLAVE |
the SHA256 hash measurement of the enclave computed during enclave build |
|
MRSIGNER |
the SHA256 hash of the public key used to sign the enclave’s SIGSTRUCT |
|
CPUSVN |
a set of SVN of firmware components in the TCB. In the case where more than one updatable component is included in the TCB. |
|
ISVSVN |
the SVN of the software component in the TCB assigned by the enclave signer [through SIGSTRUCT]. |
|
ISVPRODID |
a product identifier, assigned by the enclave signer [through SIGSTRUCT], used for dividing the key space up. |
|
OwnerEpoch |
a value provided by the platform, created when a new owner takes possession of the platform. |
-
Table 2: SGX Keys
|
Key |
Purpose |
|
EINIT Token |
EINIT Token creation Key |
|
Report |
EREPORT verification key. |
|
Seal |
Protects enclave secrets that need to be exposed outside the enclave for long term retention. |
|
Provisioning Seal |
Attestation key provisioning enclave uses for protecting attestation keys for long term retention outside the enclave. |
|
Provisioning |
Attestation key provisioning enclave’s uses for proving the platform is at the TCB it is claiming in the provisioning protocol. |
-
Table 3: SGX Key Properties
|
|
Attributes |
Seal Fuses |
Owner Epoch |
CPU SVN |
ISV SVN |
ISV PRODID |
MRENCLAVE |
MRSIGNER |
RAND |
|
EINIT Token |
Req |
Yes |
Yes |
Req |
Req |
Yes |
No |
No |
Req |
|
Report |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
No |
Req |
|
Seal |
Req |
Yes |
Yes |
Req |
Req |
Yes |
Req |
Req |
Req |
|
Provisioning |
Req |
No |
No |
Req |
Req |
Yes |
No |
Yes |
Yes |
|
Provisioning Seal |
Req |
Yes |
No |
Req |
Req |
Yes |
No |
Yes |
Yes |
-
Image 2. Full remote attestation flow [4]
|
|
Attributes |
Seal Fuses |
Owner Epoch |
CPU SVN |
ISV SVN |
ISV PRODID |
MRENCLAVE |
MRSIGNER |
RAND |
|
EINIT Token |
Req |
Yes |
Yes |
Req |
Req |
Yes |
No |
No |
Req |
|
Report |
Yes |
Yes |
Yes |
Yes |
No |
No |
Yes |
No |
Req |
|
Seal |
Req |
Yes |
Yes |
Req |
Req |
Yes |
Req |
Req |
Req |
|
Provisioning |
Req |
No |
No |
Req |
Req |
Yes |
No |
Yes |
Yes |
|
Provisioning Seal |
Req |
Yes |
No |
Req |
Req |
Yes |
No |
Yes |
Yes |
-
其他细节
-
membership key如何使用数学方法隐藏
-
通过 the EPID scheme Join protocol ,用加密的membership key作为EPID的素材,隐藏即就是加密
-
-
- Platform’s membership key和signed certificate形成的独特的EPID private key,然后如何生成attestation key?
- The attestation key itself is asymmetric (EPID keys).
- 细节在 EPID blind join protocol中,通过SGX ecosystem flowchart,看来,
- attestation key 的签名意义是啥,IAS如何去验证身份签名?
- attestation key即是EPID的一个私钥,IAS用组公钥验证签名,在Quote中有一个域为basename,通过对basename的签名去校验,确定是不是拥有合法的attestation key。