annasapek
commented
4 years ago Asylo currently supports SGX local attestation (see SgxLocalAssertionGenerator and SgxLocalAssertionVerifier), but remote attestation support is not yet available. You can expect to see examples for it once it becomes available.
We are specifically working on adding support for Intel's newer third-party attestation model for SGX, which does not rely on the IAS. Note that this attestation scheme provides the same types of statements as with EPID attestation, but verification of attestations can be done offline. We plan to support attestations produced by both the Intel DCAP quoting enclave as well by Asylo's quoting enclave.
We do not have plans to support EPID attestation (the attestation model that uses the IAS).
andrewdomin
fixerivan
Hi devs,
It appears that enclaves created with Asylo can produce assertions of their identity (known as an enclave report in SGX lingo) which can be verified by some remote authority. However, I cannot find any examples of an authority performing remote attestation using the Intel Attestation Service (IAS). Is this a feature that is currently supported, and if not, do you expect remote attestation via IAS to be supported in the future?
As a follow-up question (if relevant): without IAS, I believe we cannot fully verify that the hardware running an enclave is authentic. Do the identity assertions provided by Asylo still offer some degree of confidence that an enclave is authentic? In other words, is remote attestation still relatively useful even without support for hardware verification via IAS?