attestation about graphene HOT 11 CLOSED

Were you ever able to run sealing functions in graphene?

Yes, sealing did work with python-sgx (using graphene).

from graphene.

Hi, sorry for the late response.

It depends on the targets of attestation, and the threat model. If you are simply worried about whether the application code loaded inside an enclave is correct, Graphene ensures the integrity of all loaded binaries including executables, libraries, and the library OS itself. The attestation is based on the fact that each application will have a unique measurement, derived from the binary files and the manifest. By comparing the unique measurement, users can tell whether an enclave is running the application they sign off.

If you need to attest the integrity of an enclave running on a remote host, Graphene current does not provide APIs to access the Intel Attestation Service. It will be a feature for near future.

from graphene.

If you need to attest the integrity of an enclave running on a remote host, Graphene current does not provide APIs to access the Intel Attestation Service. It will be a feature for near future.

Interesting! So you are currently working on a remote attestation feature for Graphene? I'm working on a solution for remote attestation too.

from graphene.

Hello,

I am also interested in the remote attestation. Is there any progress on this feature?

Thanks for your help.

from graphene.

I think it is still on the back-burner. Any patches are welcome.

from graphene.

@adombeck I know currently do not maintain your https://github.com/adombeck/python-sgx library (which was really promising btw). I tried compiling your code and making it work (and also tried another variant with SWIG). However, the program returns nothing and exits (maybe I should compile with debugging on). Were you ever able to run sealing functions in graphene?

from graphene.

@adombeck that is really assuring to hear. Could you please send me your email (I could not find one on your profile) to tarik[at]tarikmoon.com. I have a few questions that I would love to discuss over email and also maybe explain why sealing is really important for the project I am working on.

Thanks in advance.

from graphene.

We are also interested in remote attestation, which is absolutely key to our use case (https://github.com/e-mission/e-mission-docs/blob/master/docs/future_work/privacy.md). @njriasan has remote attestation working outside of graphene using the Intel SDK along with the IBM trust management wrapper (https://github.com/IBM/sgx-trust-management) and would be happy to contribute this feature.

There are multiple possible design points and levels of transparency possible.

@chiache, @donporter any thoughts on how to proceed logistically? Should we open a new issue just to track our proposed contribution or should we keep the high level discussions in this issue?

from graphene.

@shankari , did you also evaluate RA-TLS (https://github.com/cloud-security-research/sgx-ra-tls)? It is a project by Intel Labs that has integration with Graphene-SGX, and it provides Remote Attestation verification report in custom X.509 extensions.

from graphene.

@dimakuv no we haven't. @njriasan can take a look...

from graphene.

I'd recommend writing up your thoughts or questions and emailing to [email protected]

for advice before you do much implementation. The maintainer team can give some guidance on possible options, or we can set up an ad hoc chat if you are serious about building this.

from graphene.