lsds/sgx-lkl

Feature: multi party attestation

fnerdman opened this issue · 2 comments

As far as I understand the way sgx-lkl is currently built means that only a single party can verify what is running inside an enclave. Although multiple parties could use remote attestation to attest that sgx-lkl is actually running inside an enclave, only the party which sends the remote control config via wireguard can be sure about what is actually being executed by sgx-lkl. This prevents lots of use cases where more than one party needs to trust an enclave.
Wouldn't it be easy to fix this by returning a signature of the remote control config after submission? A copy of the public part of the key pair used for the signature could be provided in the remote attestation report, maybe we could even use wireguards key pair for signing. The party having configured the enclave could then provide all other parties with the config and signature and therefore - given that the image provided in the config is openly available and reproducably buildable - everybody would know what happens in the enclave.

@prp Could you comment on this? The company I'm working for has significant interest in multi party attestation and would invest resources to provide a pull request for this feature. However, before we start, we would like to make sure whether you would consider this the correct way of implementation.

prp commented

@lead4good The way attestation is now done in SGX-LKL in the new Open Enclave version (now in the default branch) is different from the "legacy" branch (see the code around the enclave_config). Ideally, we would like to focus new features on this new version. How could your design for multi-party attestation be adapted to fit with that?