Intel offers a comprehensive certification infrastructure to certify Quoting Enclaves, utilizing a certificate chain rooted in an Intel-issued certificate. Additionally, Intel has open-sourced the core enclaves, allowing the implementation of remote attestation. It's important to note that this framework serves as a reference implementation, allowing for the flexibility to build upon enclaves and certificate authorities with different root of trust.

Overview

The SGX-based enclave attestation framework consists of the following components:

The foundation of this infrastructure is the Provisioning Certification Enclave (PCE), an Intel-provided enclave that acts as a local Certificate Authority for local Quoting Enclaves operating on the same platform.

The Quoting Enclaves generate their own Attestation Keys using their preferred methods and algorithms. The QE provides the attestation public key to the PCE, which authenticates the request and issues a certificate-like structure identifying the QE and the Attestation Key. This structure is signed by the Provisioning Certification Key (PCK), a device-specific signing key that belongs to the Trusted Computing Base. Intel publishes certificates and certificate revocation lists (CRLs) for the PCKs in all genuine Intel platforms, resulting in a complete signature chain from the Quotes to an Intel Certificate Authority (CA). Therefore, anyone with the complete certificate chain and CRLs can verify the resulting Quote.

In summary, the chain of trust is established as follows:

Intel Root CA -> PCK certificate -> Attestation Key Cert -> Quote

Provisioning Certificate Enclave

The Provisioning Certificate Enclave (PCE) utilizes two values to serve as a local Certificate Authority (CA). These values are derived from hardware keys obtained through the EGETKEY hardware instruction. The first value is the Provisioning Certification Key, which is a 256-bit Elliptic Curve signing key compliant with IETF RFC 6090. It uses the NIST p-256 curve and is unique to the device, the current SGX TCB SVNs, and the PCE's ISVSVN. The CertifyKey() API enables an enclave to request certification of provided data using this key. The other value is the Platform Provisioning ID (PPID), which is unique to the platform and PCE identity but not specific to the TCB. These values and the corresponding TCB SVNs are utilized to identify the platform when requesting the corresponding PCK certificate from Intel.

CertifyKey()

To ensure the certificate-like structure created by the PCE is meaningful, it must contain the measurement identity of the requesting enclave. The PCE employs the SGX local attestation architecture to identify the requester. The caller provides a REPORT created by EREPORT, including caller-specified ReportData. The caller also specifies the PCK to be used for identification, indicating it through CPUSVNs and PCE ISVSVN associated with the key. The inclusion of CPUSVN allows flexibility in requesting a key to be signed by a lower CPUSVN if certificates are unavailable for the current TCB or do not exist.

The PCK serves as a unique hardware identifier that some users may prefer to keep inaccessible. To prevent unauthorized access to the PCK by software not authorized to access unique IDs, the PCE only processes requests from enclaves with ATTRIBUTES.PROVISIONKEY set to 1. The Launch Enclave, selected by the Operating System, holds the authority to set the PROVISIONKEY attribute (controlled by a value of 4).

GetPCInfo()

The GetPCInfo() API of the PCE allows other enclaves to request a copy of the platform's PPID and the PCE's SVN. Similar to CertifyEnclave(), the GetPCInfo() API only honors requests from enclaves with ATTRIBUTES.PROVISIONKEY set to 1. Additionally, the PPID is encrypted during transit from the PCE to the calling enclave. The caller specifies a public key in the request, and the PCE encrypts the PPID using that key. The caller can also specify the cryptographic algorithm, although the initial version of the PCE only supports RSA 3072 with OAEP padding. The choice of encryption key selection method depends on the privacy requirements of the environment. In privacy-sensitive attestation environments, the PCK Certificate Service's key may be utilized to ensure end-to-end confidentiality of unique IDs between the PCE and the backend. In non-privacy-sensitive environments, the key can be an ephemeral key generated by the Quoting Enclave (QE) before invoking the API.

Quoting Enclave

The Intel-provided Quoting Enclave supports 256-bit Elliptic Curve signing keys compliant with IETF RFC 6090, utilizing the NIST p-256 curve.

Attestation Signing Key Generation

The Intel Quoting Enclave generates the attestation key by deriving it from its Seal Key using EGETKEY as a seed for a key derivation algorithm. This process generates a repeatable signing key, which is not known to Intel. Changes to OwnerEpoch result in a new Attestation Key, but this key remains the same across the platform, regardless of where it is generated within the same TCB and across resets. It does not require persistent storage.

If desired, the Quoting Enclave can generate a different key, for example, when invoked in different virtual machines (VMs). Alternatively, a QE developer can generate the attestation key using the hardware DRNG. It's important to note that this method results in unique Quoting Keys for different VMs, but all keys are certified by the same platform Provisioning Certification Enclave.

If a new attestation key is required, such as after TCB Recovery, the Quoting Enclave generates a new ECDSA key using the same procedure.

Certification

The Intel-provided Quoting Enclave implements separate APIs for key generation and key certification functions. In the event of a compromised PCE or Provisioning Certification Key without compromising the Quoting Enclave, the existing Attestation Key can be re-certified instead of generating a new QE key.