thomasten
commented
2 years ago Hi,
- Yes, that is what happens in GetRemoteReport internally.
- An emulated syscall (doesn't leave the enclave) is done here https://github.com/edgelesssys/ego/blob/355facfe5f87efbd278ff5c542c235bbeb00668c/enclave/ert.go#L46-L62 and dispatched here to OE https://github.com/edgelesssys/edgelessrt/blob/4894b31b918e3b129aa1cbf96b366bea398c2085/src/ertlibc/syscall.cpp#L102-L110
- AFAIK the client can get this info from the report. You may study the OE verification implementation to see this.
emrahsariboz
Thanks for the great product. I would appreciate it if anyone could verify if my understanding of EGo's DCAP-based attestation works correct or wrong.
I understand that EGo uses DCAP-based attestation rather than EPID. And EGo depends on Open Enclave regarding the details of Quoting Enclave.
However, one thing that does not add up is the fact that remote attestation sample generates a report before the quote is generated and signed by Provisioning Certification Enclave (PCE).
1) My understanding of DCAP was the quote will be generated and signed by the PCE, which will then become a report. Could you please help me understand this?
2) Also, where in the code EGo calls the OE APIs regarding QE operations? I don't see any submodule or anything that will use OE. Can you point me to the file/repo?
3) Again, in the remote attestation sample, how does the client retrieves the TCB information when verifying the cached attestation collateral from PCCS using Azure Quote Provider? In other words, how does client knows which attestation collateral to retrieve? Server never sends this information to help client verify.