Intel(R) Software Guard Extensions Data Center Attestation Primitives for Linux / Windows OS: Quote Verification Library

SGX Quote Verification Library (QVL)

Reference implementation of ECDSA-based SGX Quote verification.

This library encapsulates all the processing required to verify ECDSA-based Quotes generated by the Intel provided Quoting Enclave.

It requires providing Intel-issued Provisioning Certification Key (PCK) Certificate Chain, Revocation Lists, Trusted Computing Base (TCB) Information and optionally Quoting Enclave Identity corresponding to the platform that is attested. All the collateral required for Quote verification can be aquired from Provisioning Certification Service (PCS) for Intel(R) SGX (https://api.portal.trustedservices.intel.com/provisioning-certification).

The library exposes C-like APIand is implemented in a thread-safe-manner to enable simultaneous Quote verifications.

SGX QVL Sample App

This repository contains also a sample application that demonstrates use of QVL to perform ECDSA-based Quote verification (using sample/attestation attestation collateral delivered together with the app).

SGX Attestation Parsers

This library provides ra reference implementation for parsing ECDSA Attestation collateral (e.g. PCK certificates, TCB Information) provided by Provisioning Certification Service. It is used by Quote Verification Library.

Build

Linux

Requirements:

• cmake version 3.18 or higher
• make
• clang++ with c++11 support (version 5.0.2 or higher is recommended)
• doxygen version 1.8.14 if BUILD_DOCS is enabled
• gcc to compile dependant openssl (version 9.4.0 or higher is recommended, because it requires libstdc++ in version 6)
• bash shell
• due to self contained third parties, ~230MB disk space is required for full build - debug, release, tests and doc
• bullseye for code coverage 8.15 or higher

Additional libraries will be downloaded and compiled during first build:

• openssl v3.X (AttestationLibrary dependency)
• googletest (Tests dependency)
• spdlog (added only if building with logs capabilities)

To build test SGX enclave that includes Quote Verification Library additional libraries are required and should be provided by user:

• Intel SGX SDK - https://software.intel.com/en-us/sgx/sdk
• Intel SGX SSL - https://github.com/intel/intel-sgx-ssl (The version must be compatible with OpenSSL 3 and must be manually built by the user.)
• gcc is used to build in this configuration.

By default cmake will try to find them in /opt/intel/sgxsdk and /opt/intel/sgxssl. To override this provide SGX_SDK and SGX_OPENSSL variables.

Build in release:

$ cd Src
$ ./release

Binaries to be found in Src/Build/Release/dist

Build in debug:

$ cd Src
$ ./debug

Binaries to be found in Src/Build/Debug/dist

Run unit tests:

$ cd Src
$ ./runUT

Run code coverage analysis

(requires Bullseye to be installed on the system)

Default Bullseye install location is /opt/bullseye, but you can specify a different one using a '-b' option:

$ cd Src
$ ./coverage [-b custom/bullseye/location]

Run SGX QVL Sample App

After build sample app can be found in Src/Build/Release/dist/bin for release or Src/Build/Debug/dist/bin for debug.

To display usage run following:

$ LD_LIBRARY_PATH=../lib ./AttestationApp --help

Provided sample data

Build includes sample data for SGX QVL Sample App in Src/Build/Debug/dist/bin/sampleData directory. All files use default names so they will be loaded by app without any parameters. In sampleData directory run:

LD_LIBRARY_PATH=../../lib ../AttestationApp

Build test enclave

To build enclave set BUILD_ENCLAVE option to ON like this:

$ ./release -DBUILD_ENCLAVE=ON

All libraries and sample app will be build with enclave support. To run them Intel SGX enabled platform is needed. Please refer to Intel SGX documentation for Intel SGX setup instructions (https://software.intel.com/en-us/sgx/sdk).

NOTE: This configuration only builds enclave for test purposes. For production grade Quote Verification SGX Enclave please look into QVE directory in this repository.

Clion setup

To use the project in Clion it is necessary to set Clang as a compiler. This is done in File->Settings->Build, Execution, Deployment->CMake menu by adding -DCMAKE_CXX_COMPILER=clang++ to CMake options.

Windows

Requirements:

• Visual Studio 2017
• cmake version 3.2 or higher
• Perl (https://www.activestate.com/products/activeperl/downloads/) for OpenSSL building

NOTE: Enclave build is currently not supported on Windows.

HINT: Windows build may fail if repository path is too long. Consider changing HUNTER_ROOT location in CMakeLists.txt

Using Visual Studio with CMake support

CMake project can be directly opened and built using Visual Studio with CMake support..

Using CMake, MSBuild and PowerShell

$ .\release.ps1

Run unit tests

$ .\Build\Release\out\bin\Release\AttestationApp_UT.exe
$ .\Build\Release\out\bin\Release\AttestationLibrary_IT.exe
$ .\Build\Release\out\bin\Release\AttestationLibrary_UT.exe
$ .\Build\Release\out\bin\Release\AttestationParsers_IT.exe
$ .\Build\Release\out\bin\Release\AttestationParsers_UT.exe