如何证明某些数据是在Enclave(Intel SGX)内部计算(或生成)的?

本文介绍了如何证明某些数据是在Enclave(Intel SGX)内部计算(或生成)的?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

How to prove that certain data is calculated(or generated) inside Enclave(Intel SGX)?

我试图在安全区内生成非对称密钥对(私钥可能对外部不可见)，并且

I tried to generate asymmetric key pair inside enclave(private key might be invisible to outside), and

然后使用证据(我想引用或与远程证明相关的东西)公开公钥.

then expose public key with evidence(i guess quote or remote attestation related things).

我了解了远程认证的进展情况，但是我无法提出将远程认证应用于验证飞地生成的数据的方法.

I got how remote attestation goes but, i cannot come up with applying remote attestation to verifying enclave-generated data.

英特尔SGX是否可能出现这种情况?

Is this possible scenario with Intel SGX?

推荐答案

您可以通过将公钥放置在报告证明期间生成的报价的report_data字段中来证明公钥的起源.

You can prove the origin of the public key by placing it in the report_data field of a Quote generated during report attestation.

_quote_t.report_data可用于证明任意数据:

_quote_t.report_data can be used to attest arbitrary data:

通过跟踪以下结构可以找到report_data字段:

The report_data field can be found by tracking the following structures:

sgx_key_exchange.h

typedef struct _ra_msg3_t {
    sgx_mac_t                mac
    sgx_ec256_public_t       g_a;
    sgx_ps_sec_prop_desc_t   ps_sec_prop;
    uint8_t                  quote[];    // <- Here!
} sgx_ra_msg3_t;

sgx_quote.h

typedef struct _quote_t
{
    uint16_t            version;        
    uint16_t            sign_type;      
    sgx_epid_group_id_t epid_group_id;  
    sgx_isv_svn_t       qe_svn;         
    sgx_isv_svn_t       pce_svn;        
    uint32_t            xeid;           
    sgx_basename_t      basename;       
    sgx_report_body_t   report_body;  // <- Here!  
    uint32_t            signature_len;
    uint8_t             signature[];    
} sgx_quote_t;

报价是远程证明协议的Msg3(客户端到服务器)的一部分.您可以在此官方代码示例和 intel/sgx-ra-sample RA示例.

The Quote is part of the Msg3 (client-to-server) of remote attestation protocol. You can review the details of Msg3 creation in this official Code Sample and in the intel/sgx-ra-sample RA example.

在后者中，您可以找到如何使用sgx_create_report生成报告:

In the latter, you can find out how the report is generated using sgx_create_report:

sgx_status_t get_report(sgx_report_t *report, sgx_target_info_t *target_info)
{
#ifdef SGX_HW_SIM
    return sgx_create_report(NULL, NULL, report);
#else
    return sgx_create_report(target_info, NULL, report);
#endif
}

在两种情况下，第二个参数 sgx_report_data_t *report_data是NULL，可以用指向任意输入的指针替换.您要在此处放置公钥或任何其他数据.

In both cases, second argument sgx_report_data_t *report_data is NULL and can be replaced by pointer to arbitrary input. This is where you want to put your public key or any other data.

这篇关于如何证明某些数据是在Enclave(Intel SGX)内部计算(或生成)的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！