Intel® Software Guard Extensions

Strengthen Enclave Trust with Attestation

Remote Attestation

This advanced feature allows a hardware entity or a combination of hardware and software to gain a remote provider's (also known as the relying party) or producer's trust.

Remote attestation gives the relying party increased confidence that the software is running:

Inside an Intel® Software Guard Extension (Intel® SGX) enclave
On a fully updated system at the latest security level (also referred to as the trusted computing base [TCB] version)

Attestation results provide:

The identity of the software being attested
Details of an unmeasured state (such as the execution mode)
An assessment of possible software tampering

After an enclave successfully attests itself to a relying party, an encrypted communication channel can be established between the two. Secrets, such as credentials or other sensitive data, can be provisioned directly to the enclave.

Intel SGX currently supports a single type of remote attestation:

Elliptic Curve Digital Signature Algorithm (ECDSA) Attestation

This method enables third-party attestation via the Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP).

Features of ECDSA-based attestations:

Provides flexible provisioning based on ECDSA certificates
Allows for construction of on-premise attestation services
Available under an open source licensing model

Intel previously supported the Intel® Software Guard Extensions Attestation Service Utilizing Intel® Enhanced Privacy ID, but this product is now discontinued.

Intel® Tiber™ Trust Authority

This is a zero-trust attestation service that provides customers with assurance that their apps and data are protected on the platform of their choice, including multiple cloud, sovereign clouds, edge, and on-premise environments.

More Information

ECDSA-based Attestation

ECDSA-based attestation with Intel SGX DCAP allows providers to build and deliver their own attestation service. This is useful for enterprise, data center, and cloud service providers who need to:

Use the large enclave sizes that are available in the Intel® Xeon® Scalable processor family and Intel® Xeon® 6 processors.
Run large parts of their networks in environments where internet-based services cannot be reached.
Keep attestation decisions in-house.
Deliver applications that work in a distributed fashion (for example, peer-to-peer networks) that benefit from not relying on a single point of verification.
Prevent platform anonymity where it is not permitted.

Learn More about ECDSA Attestation

An Update on Third-Party Attestation

Attestation for Data Center Orientation Guide

Support Third-Party Attestation for Intel SGX DCAP

Remote Attestation for Multipackage Platforms Using Intel SGX DCAP

Get Started with Intel® SGX DCAP

Source Code (GitHub*)

Prebuilt Components for Various Operating System Distributions

Quick Install Guide

Quote Generation, Verification, and Attestation

Quote Verification Grace Periods with Intel SGX DCAP

Registration Service for Intel® Xeon® Scalable Processors

To support the initial setup of Intel SGX on server platforms based on Intel Xeon Scalable processors and Intel Xeon 6 processors, Intel is providing a registration service.

This service creates a package that registers platform root keys (PRKs) that are shared between all of the processors on the platform.

Provisioning Certification Service (PCS) for ECDSA Attestation

The PCS includes a set of publicly accessible APIs that allow attestation service providers to retrieve the following:

Provisioning certificates
Revocation lists
Trusted computing base information

These components are then used in the providers’ remote attestation infrastructure to attest their enclaves. For more information (including subscription links), see Attestation Services.

选择您的语言

使用 Intel.com 搜索

快速链接

最近搜索

高级搜索

仅搜索