Home
Technology
Try CC!

Platform Registration

Overview

A multi-package platform refers to a computer system built with multiple processors or processing units (CPUs) working together. These individual CPUs are often separate physical packages that can be added or removed from the system.

The key concept here is security, specifically around Intel Software Guard Extensions (SGX). SGX enables creating trusted sections of code, called enclaves, that can run securely on a computer system. With a single CPU, managing SGX is straightforward. However, things get more complex with multiple CPUs.

A multi-package platform introduces challenges in verifying the trustworthiness of the entire system for SGX enclaves. Intel SGX Datacenter Attestation Primitives (DCAP) comes in to solve this problem. DCAP provides a way for these multi-package systems to prove their trustworthiness to other parts of the computer system.

Here's a simplified breakdown of how it works:

  • Each CPU package has its own unique keys and identity.

  • A registration service verifies the authenticity of each package.exclamation

  • The CPUs securely communicate and negotiate shared keys.expand_more

  • This creates a foundation of trust for SGX enclaves to run securely across the entire system.

In essence, a multi-package platform allows for a scalable and secure computing environment with SGX, even when multiple processors are involved.

Registration of Multi-Package Platform

Entities

  • Registration Authority Service: The Registration Authority Service is the foundation for provisioning and attesting multi-package platforms. Intel hosts Intel Registration Service for this purpose.

  • Provisioning Certification Enclave (PCE): Intel SGX architectural enclave that uses a Provisioning Certification Key (PCK) to sign REPORT structures for Provisioning or Quoting Enclaves. These signed REPORTS contain the ReportData indicating that attestation keys or provisioning protocol messages are created on genuine hardware.

  • Quoting Enclave (QE): The enclave that generates the attestation key used to sign SGX Quotes.

Keys

  • Registration Service Encryption Key (RSEK): The registration authority service’s 3072-bit RSA key used to encrypt/decrypt the platform keys.

  • Registration Service Authentication Key (RSAK): Key that the registration authority service uses to sign authorizations to add new packages to the platform and its self-signed Registration Server ID structure.

  • Hardware Key (HWK): This is the unique key that is available to the each SGX-capable CPU package. It is derived directly from fuses and used to derive PRK signatures and key blob sealing keys.

  • Platform Key (PlatK): This 128-bit key is the foundation of the provisioning key derivations in a processor. Multi-package platforms negotiate platform keys in the field. They are delivered to the registration authority service encrypted with the RSEK. They are stored by each CPU package on the platform in the sealed and encrypted key blobs using its respective unique hardware key. SGX Sealing Keys use the platform key in conjunction with another value that is unique to the platform instance. Note, the platform key alone is not enough to unseal enclave-sealed user data.

  • Platform Registration Key (PRK): Unique 3072-bit RSA key pair for each processor package that is used for Initial Platform Establishment, TCB Recoveries and Add Package boot flows. This key is TCB-specific. It is used to sign the platform manifests. It is used in the protocol for establishing protected sessions between processors. It is derived from the HW key.

  • Provisioning Certification Key (PCK): Signing key that is available to Provisioning Certification Enclave for signing certificate-like QE REPORT structures. The key is unique to the processor package or platform instance, the HW TCB, and the PCE version (PSVN).

Data Structures

  • Key Blob: A key blob is a data structure that is generated through the CPU microcode and stored within the BIOS. The key blob contains the PlatK for each CPU on the platform. Each CPU encrypts its key blob and creates a MAC associated with its own unique HWK.

  • Platform Manifest: This data structure holds information regarding all CPU packages on the platform like signatures from all CPUs on the package using the PRK private key and the PlatK encrypted with the RSEK.

  • Platform Membership Certificate: A data structure which is signed by the RSAK and indicates that the specified package with the specified CPUSVN is allowed access to keys of that specific platform for that specific CPUSVN. In order to allow this the certificate includes the Platform Registration ID, Platform Info and Registration Server.

Registration Modes

Intel’s registration authority service supports two mechanisms for registering a platform.

Direct Registration

  • You send your platform details directly to Intel's registration service.

  • This grants them permission to store encrypted copies of your platform keys.

  • They can then generate a Provisioning Certificate Key (PCK) quickly using just your platform ID.

  • Downside: You lose control over your platform keys (they're stored by Intel).

Indirect Registration

  • You don't send your platform details directly to Intel.

  • Instead, you create a Provisioning Certificate Key (PCK) yourself using your platform details.

  • Intel's service only uses your details temporarily to create the PCK, then discards them.

  • They only store basic platform information, not the keys themselves.

  • Downside: You need to keep a copy of your platform details to generate future PCKs.

Registration Environments

Single-Stage Registration

  • A registration agent is running automatically at boot time in order to directly speak with the Registration Authority Service via the Internet.

  • The registration agent can directly access the stored values in the BIOS and contact the Registration Authority Service at boot time for platform verification.

  • Downside: The platform requires access to the Internet.

Dual-Stage Registration

  • The environment where the platform is placed has no direct access to the internet.

  • Instead a proxy server is running between the agent and the authority service.

  • Downside: The proxy server only supports platform manifest retrieval. The Add Package flow requires a direct response from the Registration Authority Service and is therefore only feasible if an immediate response is available from the Registration Authority Service or if the platform provisioning can be completed with the Platform Membership Certificate later.

Last updated