Open TY-cc opened 2 years ago
TY-cc
commented
2 years ago Whether Application needs a enclave when it verify quote? There is a word “When the Quote Verification Library is linked to a process, it needs to know the proper enclave loading policy”.
jsun39
commented
2 years ago No, it is not a must to verify quote with enclave. Application could just use Quote Verification Library(QVL) to verify quote.
henrywang8atfbdotcom
commented
2 years ago Is the QVL library "internal", or public? Can we use it freely with assumptions that its interface will be well defined moving forward?
jdbeaney
commented
2 years ago It is a public library with publicly defined APIs. The APIs are defined here: https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf. It will maintain backward compatibility.
TY-cc
commented
2 years ago I have read the DCAP_API. But i still have some probelms
1: Enclave will product a Report. Is it consistent for the Quote enclave's(QE) Report and the Application enclave' Report ? we can get it use the EREPORT instruction, but how to verification the Report?
2: At the DCAP_API, what is the relationship about the Quote Libriry,Privisioning Certification Enclave(PCE), Quote Enclave(QE), Quote Provider Libriry When generated the Quote.
3: At Sample Sequence Digrams of appendix C for DCAP_API. The flow have a component is the intel SGX DCAP. what is it ?
It is a public library with publicly defined APIs. The APIs are defined here: https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf. It will maintain backward compatibility.
TY-cc
commented
2 years ago No, it is not a must to verify quote with enclave. Application could just use Quote Verification Library(QVL) to verify quote.
it have both. quote verify enclave(QVE) and non-QVE.
Now i have some problems about the DCAP generate Quote and verify Quote . what is the DCAP‘ concrete flow?
llly
commented
2 years ago libsgx_dcap_ql.soTY-cc
commented
2 years ago 1、I found the Quote is generated by verify and signing the application Report after read DCAP_API and https://www.intel.com/content/dam/develop/external/us/en/documents/intel-sgx-support-for-third-party-attestation-801017.pdf . And I found QE need to generate a Report when deployment phase PCK retrieval. what the different between the QE’s Report and the general Enclave’s Report 2、I have read ,but it don‘t have the Quote Libriry and Quote Provider Libriry
jdbeaney
commented
2 years ago TY-cc
commented
2 years ago
- The QE generates an attestation key key pair that uses to sign application enclave REPORTs. The hash of the attestation key's public key is in the QE's REPORT. The PCE verifies the QE's REPORT and signs it with the PCK private key and thereby certifies the QE's attestation key.
- The Platform Quote Provider library APIs are described in section 3.3.1 and the Quote (generation) Library APIs are described in 3.1 and the Quote Verification Library APIs are described in section 3.6 of https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf
1、These paper I have read. The first description i know. application enclave REPORT is verified and signed by the QE. I problems about the QE REPORT. QE will generate a REPORT when deployment the PCK retrieval. Does this two Report have somes differents?
2、I know the component about PCE, QE,Application, Application Enclave, Quote generate Library, Quote Verification Library, Quote Provider library, PCK Certification Service. But these can't form a concrete process/flow in my mind for generate Quote and verify Quote
Can you speak a private way, Thati s too trouble.
Sorry, I have some problem after I read the paper as follow . Intel® Software Guard Extensions (Intel® SGX) Data Center Attestation Primitives: ECDSA Quote Library API.
On the 61 page of the API document, ![Uploading image.png…]() what is it means aboout the intel SGX DCAP?