Lecture Secure, Trusted and Trustworthy Computing Trusted Execution Environments Intel SGX

Transcription

1 1 Lecture Secure, and Trustworthy Computing Execution Environments Intel Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Winter Term 2015/2016

2 Intel Software Guard Extensions () [ckeen et al, Hoekstra et al., Anati et al., HASP 13] Security critical code isolated in enclave Only CPU is trusted Transparent memory encryption 18 new instructions Enclaves cannot harm the system Only unprivileged code (CPU ring3) emory protection Designed for ulti-core systems ulti-threaded execution of enclaves Parallel execution of enclaves and untrusted code Enclaves are interruptible Programming Reference available APP1 APP2 Enclave Security Service Operating System CPU Hardware Slide Nr. 2, Lecture Secure, and Trustworthy Computing, WS 2015/16

3 Enclaves Enclaves are isolated memory regions of code and data One part of physical memory (RA) is reserved for enclaves It is called Enclave Page Cache (EPC) EPC memory is encrypted in the main memory (RA) hardware consists of the CPU-Die only EPC is managed by OS/V RA: Random Access emory OS: Operating System V: Virtual achine onitor (also known as Hypervisor) Slide Nr. 3, Lecture Secure, and Trustworthy Computing, WS 2015/16

4 Instructions and Data Structures 18 Instruction 13 Supervisor Instructions 5 User Instructions 13 Data Structures 8 data structures associated to a certain enclave 3 data structures associated to certain memory page(s) 2 data structures associated to overall resource management Slide Nr. 4, Lecture Secure, and Trustworthy Computing, WS 2015/16

5 Instructions Supervisor Instruction Description User Instruction Description ENCLS[EADD] Add a page ENCLU[EENTER] Enter an Enclave ENCLS[EBLOCK] Block an EPC page ENCLU[EEXIT] Exit an Enclave ENCLS[ECREATE] Create an enclave ENCLU[EGETKEY] Create a cryptographic key ENCLS[EDBGRD] Read data by debugger ENCLU[EREPORT] Create a cryptographic report ENCLS[EDBGWR] Write data by debugger ENCLU[ERESUE] Re-enter an Enclave ENCLS[EEXTEND] ENCLS[EINIT] ENCLS[ELDB] ENCLS[ELDU] ENCLS[EPA] ENCLS[EREOVE] ENCLS[ETRACK] ENCLS[EWB] Extend EPC page measurement Initialize an enclave Load an EPC page as blocked Load an EPC page as unblocked Add version array Remove a page from EPC Activate EBLOCK checks Write back/invalidate an EPC page Slide Nr. 5, Lecture Secure, and Trustworthy Computing, WS 2015/16

6 Data Structures Enclave Control Structure (SECS) Thread Control Structure (TCS) State Save Area (SSA) Page Information (PAGEINFO) Security Information (SECINFO) Paging Crypto etadata (PCD) Enclave Signature Structure (SIGSTRUCT) EINT Token Structure (EINITTOKEN) Report (REPORT) Report Target Info (TARGETINFO) Key Request (KEYREQUEST) Version Array (VA) Enclave Page Cache ap (EPC) Slide Nr. 6, Lecture Secure, and Trustworthy Computing, WS 2015/16

7 Data Structures Details Enclave Control Structure (SECS) Represents one enclave Contains, for instance, Hash, ID, size etc. Thread Control Structure (TCS) Each executing thread in the enclave is associated with a Thread Control Structure Contains, for instance, Entry point, pointer to SSA State Save Area (SSA) When an AEX occurs while running in an enclave, the architectural state is saved in the thread s SSA AEX: Asynchronous Enclave Exit Slide Nr. 7, Lecture Secure, and Trustworthy Computing, WS 2015/16

8 Data Structures Details Page Information (PAGEINFO) PAGEINFO is an architectural data structure that is used as a parameter to the EPC-management instructions Linear Address Effective address of the page (aka virtual address) SECINFO SECS Security Information (SECINFO) The SECINFO data structure holds meta-data about an enclave page Read/Write/Execute Page type (SECS, TCS, normal page or VA) Slide Nr. 8, Lecture Secure, and Trustworthy Computing, WS 2015/16

9 Data Structures Details Paging Crypto etadata (PCD) The PCD structure is used to keep track of crypto metadata associated with a paged-out page. Combined with PAGEINFO, it provides enough information for the processor to verify, decrypt, and reload a paged-out EPC page. EWB writes out (the reserved field and) AC values. ELDB/U reads the fields and checks the AC. Contains Enclave ID, SECINFO and AC AC: essage Authentication Code Slide Nr. 9, Lecture Secure, and Trustworthy Computing, WS 2015/16

10 Data Structures Details Version Array (VA) In order to securely store the versions of evicted EPC pages, defines a special EPC page type called a Version Array (VA). Each VA page contains 512 slots, each of which can contain an 8-byte version number for a page evicted from the EPC. When an EPC page is evicted, software chooses an empty slot in a VA page; this slot receives the unique version number of the page being evicted. When the EPC page is reloaded, a VA slot must hold the version of the page. If the page is successfully reloaded, the version in the VA slot is cleared. VA pages can be evicted, just like any other EPC page. When evicting a VA page, a version slot in some other VA page must be used to receive the version for the VA being evicted. Slide Nr. 10, Lecture Secure, and Trustworthy Computing, WS 2015/16

11 Data Structures Details Enclave Page Cache ap (EPC) EPC is a secure structure used by the processor to track the contents of the EPC. The EPC holds exactly one entry for each page that is currently loaded into the EPC. EPC is not accessible by software, and the layout of EPC fields are implementation specific. Contains, for instance, RWX, page type, linear address, state etc. Slide Nr. 11, Lecture Secure, and Trustworthy Computing, WS 2015/16

12 Data Structures Details Enclave Signature Structure (SIGSTRUCT) SIGSTRUCT contains information about the enclave from the enclave signer SIGSTRUCT includes ENCLAVEHASH as SHA256 SIGSTRUCT includes four 3072-bit integers (ODULUS, SIGNATURE, Q1, Q2) EINT Token Structure (EINITTOKEN) The EINIT token is used by EINIT to verify that the enclave is permitted to launch Contains, for instance, attributes, hash and signer of the enclave Authenticated with a cryptographic AC on EINITTOKEN using Launch key AC: essage Authentication Code Slide Nr. 12, Lecture Secure, and Trustworthy Computing, WS 2015/16

13 Data Structures Details Report (REPORT) The REPORT structure is the output of the EREPORT instruction Attributes of the enclave Hash of the enclave Signer of the enclave A set of data used for communication between the enclave and the target enclave A CAC on the report using report key Report Target Info (TARGETINFO) This structure is an input parameter to the EREPORT instruction. It is used to identify the enclave which will be able to cryptographically verify the REPORT structure returned by EREPORT Contains attributes and hash of target enclave Key Request (KEYREQUEST) This structure is an input parameter to the EGETKEY instruction. It is used for selecting the appropriate key and any additional parameters required in the derivation of that key. Slide Nr. 13, Lecture Secure, and Trustworthy Computing, WS 2015/16

14 emory Access Control Access control in two direction From enclaves to outside Isolating malicious enclaves Enclaves needs some means to communicate with the outside world, e.g., their host applications From outside to enclaves Enclave memory must be protected from Applications Privileged software (OS/V) Other enclaves OS: Operating System V: Virtual achine onitor (also known as Hypervisor) Slide Nr. 14, Lecture Secure, and Trustworthy Computing, WS 2015/16

15 AC from enclaves to outside From enclaves to outside All memory access has to conform to segmentation and paging policies by the OS/V Enclaves cannot manipulate those policies, only unprivileged instructions inside an enclave Code fetches from inside an enclave to a linear address outside that enclave will results in a #GP(0) exception AC: emory Access Control #GP(0): General Protection Fault Slide Nr. 15, Lecture Secure, and Trustworthy Computing, WS 2015/16

16 AC outside to enclaves From outside to enclaves Non-enclave accesses to EPC memory results in abort page semantics Direct jumps from outside to any linear address that maps to an enclave do not enable enclave mode and result in a about page semantics and undefined behavior Hardware detects and prevents enclave accesses using logical-to-linear address translations which are different than the original direct EA used to allocate the page. Detection of modified translation results in #GP(0) AC: emory Access Control EA: Enclave Access #GP(0): General Protection Fault Slide Nr. 16, Lecture Secure, and Trustworthy Computing, WS 2015/16

17 Control Structure Access No direct access to control structures Every EPC page has a type: SECS, TCS, normal page or VA Non are accessible from outside an enclave Only normal pages are accessible from inside an enclave SECS, TCS and VA are initialized and manipulated by the hardware Slide Nr. 17, Lecture Secure, and Trustworthy Computing, WS 2015/16

18 Keys SVNs Device Keys Owner Epoch Key Derivation Seal Key, Report Key, etc. SVN: Security Version Numbers Slide Nr. 18, Lecture Secure, and Trustworthy Computing, WS 2015/16

19 Create Enclave Loader User space Client driver Operating system SK/PK Hardware Slide Nr. 19, Lecture Secure, and Trustworthy Computing, WS 2015/16

20 Create Enclave 1 Loader User space Client driver Operating system SK/PK 1. Create App Hardware Slide Nr. 20, Lecture Secure, and Trustworthy Computing, WS 2015/16

21 Create Enclave 1 2 Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) Slide Nr. 21, Lecture Secure, and Trustworthy Computing, WS 2015/16

22 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader Slide Nr. 22, Lecture Secure, and Trustworthy Computing, WS 2015/16

23 Create Enclave Loader User space Client driver Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave Slide Nr. 23, Lecture Secure, and Trustworthy Computing, WS 2015/16

24 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages Slide Nr. 24, Lecture Secure, and Trustworthy Computing, WS 2015/16

25 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App Slide Nr. 25, Lecture Secure, and Trustworthy Computing, WS 2015/16

26 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity Slide Nr. 26, Lecture Secure, and Trustworthy Computing, WS 2015/16

27 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 8 K Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 8. Generate enclave K key 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity Slide Nr. 27, Lecture Secure, and Trustworthy Computing, WS 2015/16

28 Create Enclave Loader Enclave 5 User space Client driver 5 Operating system SK/PK 7 K 8 Hardware 1. Create App 2. Create app certificate (includes HASH(App) and Client PK) 3. Upload App to Loader 4. Create enclave 8. Generate enclave K key 5. Allocate enclave pages 6. Load & easure App 7. Validate certificate and enclave integrity 9. Protect enclave Slide Nr. 28, Lecture Secure, and Trustworthy Computing, WS 2015/16

29 Enclave Enclave Creation Details Application Encl. Code EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 29, Lecture Secure, and Trustworthy Computing, WS 2015/16

30 Enclave Enclave Creation Details Application Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 30, Lecture Secure, and Trustworthy Computing, WS 2015/16

31 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 31, Lecture Secure, and Trustworthy Computing, WS 2015/16

32 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 32, Lecture Secure, and Trustworthy Computing, WS 2015/16

33 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC RA U EE CPU # Key ID n n+1 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 33, Lecture Secure, and Trustworthy Computing, WS 2015/16

34 SECS Enclave Enclave Creation Details Application 2a. ECREATE(SECS) 3a. EADD(*src, *dest) 3b. copy Encl. 4a. EEXTEND(*src) Code 5a. EINT 1b. Allocate EP to App 1a. Request Enclave Pages EPC list 4b. Hardware measures OS EPC EPC 5b. Update HASH RA U EE CPU # Key ID n n+1 K PK 2b. Init SECS EPC: Enclave Page Cache EPC: EPC ap EE: emory Encryption Engine U: emory anagement Unit SECS: Enclave Control Structure Slide Nr. 34, Lecture Secure, and Trustworthy Computing, WS 2015/16

35 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 35, Lecture Secure, and Trustworthy Computing, WS 2015/16

36 TCS Enclave Enclave Entry and Exit Details Stack Application AEP EENTER(TCS, AEP) EPC list ISR OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 36, Lecture Secure, and Trustworthy Computing, WS 2015/16

37 TCS Enclave Enclave Entry and Exit Details Stack Application AEP EENTER(TCS, AEP) EPC list ISR OS U CPU EPC EPC RA EE Lock TCS, start Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 37, Lecture Secure, and Trustworthy Computing, WS 2015/16

38 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 38, Lecture Secure, and Trustworthy Computing, WS 2015/16

39 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EEXIT ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 39, Lecture Secure, and Trustworthy Computing, WS 2015/16

40 TCS Enclave Enclave Entry and Exit Details Application Stack AEP EEXIT ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 40, Lecture Secure, and Trustworthy Computing, WS 2015/16

41 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 41, Lecture Secure, and Trustworthy Computing, WS 2015/16

42 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS Interrupt U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 42, Lecture Secure, and Trustworthy Computing, WS 2015/16

43 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS Interrupt U CPU EPC EPC Save context in Enclave RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 43, Lecture Secure, and Trustworthy Computing, WS 2015/16

44 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS Interrupt U CPU EPC EPC Save context in Enclave RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 44, Lecture Secure, and Trustworthy Computing, WS 2015/16

45 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 45, Lecture Secure, and Trustworthy Computing, WS 2015/16

46 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ISR EPC list OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 46, Lecture Secure, and Trustworthy Computing, WS 2015/16

47 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ERESUE EPC list ISR OS U CPU EPC EPC RA EE AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 47, Lecture Secure, and Trustworthy Computing, WS 2015/16

48 TCS Enclave Enclave Entry and Exit Details Application Stack AEP ERESUE EPC list ISR OS U CPU EPC EPC RA EE Resume Enclave AEP: Async Exit Point EPC: Encl. Page Cache EPC: EPC ap ISR: Int. Service Routine EE: em. Enc. Engine TCS: Thread Control Structure Slide Nr. 48, Lecture Secure, and Trustworthy Computing, WS 2015/16

49 Create Enclave Secure Channel Shared memory Enclave1 Enclave2 User space Operating system Slide Nr. 49, Lecture Secure, and Trustworthy Computing, WS 2015/16

50 Create Enclave Secure Channel 1 Shared memory Enclave1 Enclave2 User space Operating system 1. Generate DH params Slide Nr. 50, Lecture Secure, and Trustworthy Computing, WS 2015/16

51 Create Enclave Secure Channel 1 Shared memory Enclave1 Enclave2 User space 2 Operating system 1. Generate DH params 2. Create Report Slide Nr. 51, Lecture Secure, and Trustworthy Computing, WS 2015/16

52 Create Enclave Secure Channel 1 Shared memory Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) Slide Nr. 52, Lecture Secure, and Trustworthy Computing, WS 2015/16

53 Create Enclave Secure Channel 1 Shared memory Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) 4. Authenticate Report using AC with target enclave s shared key Slide Nr. 53, Lecture Secure, and Trustworthy Computing, WS 2015/16

54 Create Enclave Secure Channel 1 Shared memory 5 Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) 4. Authenticate Report using AC with target enclave s shared key 5. Pass Report (shared memory) Slide Nr. 54, Lecture Secure, and Trustworthy Computing, WS 2015/16

55 Create Enclave Secure Channel 1 Shared memory 5 Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 4. Authenticate Report using AC with target enclave s shared key 6. Get enclave s share key 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) Slide Nr. 55, Lecture Secure, and Trustworthy Computing, WS 2015/16 5. Pass Report (shared memory)

56 Create Enclave Secure Channel 1 Shared memory 5 7 Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 4. Authenticate Report using AC with target enclave s shared key 6. Get enclave s share key 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) 7. Validate report Slide Nr. 56, Lecture Secure, and Trustworthy Computing, WS 2015/16 5. Pass Report (shared memory)

57 Create Enclave Secure Channel 1 Shared memory 5 7 Enclave1 Enclave2 User space 2 Operating system 3 1. Generate DH params 4. Authenticate Report using AC with target enclave s shared key 6. Get enclave s share key 2. Create Report 3. Generate Report = (HASH(Enclave1), ID-Enclave2, DH-params) 7. Validate report 8. Repeat for other direction Slide Nr. 57, Lecture Secure, and Trustworthy Computing, WS 2015/16 5. Pass Report (shared memory)

58 Remote Attestation Enclave1 Quoting Enclave User space Operating system Slide Nr. 58, Lecture Secure, and Trustworthy Computing, WS 2015/16

59 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce Slide Nr. 59, Lecture Secure, and Trustworthy Computing, WS 2015/16

60 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce 2. Generate Report = (HASH(Enclave1), ID-Enclave0, nonce) Slide Nr. 60, Lecture Secure, and Trustworthy Computing, WS 2015/16

61 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce 3. Pass Report to Quoting Enclave 2. Generate Report = (HASH(Enclave1), ID-Enclave0, nonce) Slide Nr. 61, Lecture Secure, and Trustworthy Computing, WS 2015/16

62 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce 3. Pass Report to Quoting Enclave 2. Generate Report = (HASH(Enclave1), ID-Enclave0, nonce) 4. Quoting Enclave verifies Report Slide Nr. 62, Lecture Secure, and Trustworthy Computing, WS 2015/16

63 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce 3. Pass Report to Quoting Enclave 2. Generate Report = (HASH(Enclave1), ID-Enclave0, nonce) 4. Quoting Enclave verifies Report 5. Signs Report with Platform Key Slide Nr. 63, Lecture Secure, and Trustworthy Computing, WS 2015/16

64 Remote Attestation nonce Enclave1 Quoting Enclave User space Operating system 1. Verifier sends nonce 3. Pass Report to Quoting Enclave 6. Signed Report is send to verifier 2. Generate Report = (HASH(Enclave1), ID-Enclave0, nonce) 4. Quoting Enclave verifies Report Slide Nr. 64, Lecture Secure, and Trustworthy Computing, WS 2015/16 5. Signs Report with Platform Key