mkow
commented
3 years ago We don't support this, but why would you do this? What are you trying to do? Why not just run both of these apps in a single Graphene instance?
Closed sammyne closed 3 years ago
mkow
commented
3 years ago We don't support this, but why would you do this? What are you trying to do? Why not just run both of these apps in a single Graphene instance?
sammyne
commented
3 years ago We don't support this, but why would you do this? What are you trying to do? Why not just run both of these apps in a single Graphene instance?
In my case, there is a QE-like enclave X authenticating local enclaves by means of issuing signed tokens for any locally attested enclaves. X is a centralized service with constant quote (periodically refreshed) such that users just needs to check the quote of X and its signed token to authenticate enclaves on the same platform. @mkow
dimakuv
commented
3 years ago @sammyne Graphene supports local attestation flows, but this is not described clearly in the documentation (for the reason that it is not really needed by normal users).
However, you can find hints to implement local attestation:
mkow
commented
3 years ago Oh, I really forgot that we actually support this... :)
sammyne
commented
3 years ago
- graphene/LibOS/shim/test/regression/attestation.c
Great thanks. It would be better if the document can explicitly describe the usable but undocumented /dev/attestation/target_info and /dev/attestation/my_target_info. @dimakuv @mkow
mkow
commented
3 years ago Yeah, I agree that we should document it.
Description of the problem
I'm running two graphene apps in the same SGX machine, and wondering if there is any doc or example of how to perform local attestation between apps.
Remote attestation isn't what I want.
Steps to reproduce
Expected results
Actual results