Attestation with Intel SGX and Data Center Attestation Primitives (DCAP) for Virtual Servers for VPC
Select availability
Attestation is a process that validates that a runtime environment is instantiated in an encrypted SGX enclave on a system with a known security configuration. Intel SGX DCAP facilitates Attestation.
Confidential computing is only available with select profiles. For more information, see SGX-compatible profiles.
Intel SGX helps protect data in use through application isolation technology. By protecting the integrity and confidentiality of selected code and data, developers can partition their application into hardened enclaves or trusted execution modules to help increase application security.
Installing attestation with SGX DCAP
The PCK certificate is readily made available in the SGX VSI, thus eliminating the need to procure from a PCCS service. This certificate is at /root/.dcap-qcnl/*
.
Install all the required SGX DCAP and QCNL packages; as specified by Intel.
Install DCAP version 1.19 or greater since previous versions do not support locally cached certificates.
Reconfigure AESM to use the locally cached PCK certificate and restart the service as shown in the following example.
Configure /etc/sgx_default_qcnl.conf
"use_secure_cert": false
"local_cache_only": true
and restart aesmd
systemctl restart aesmd
Non-root user must copy the /root/.dcap-qcnl/*
directory to their $HOME
directory to use DCAP.
SGX documentation from Intel
For more information about SGX, see the following links.
-
For DCAP, see Intel® SGX Data Center AttestationPrimitives Intel® SGX DCAP.
-
For attestation by using DCAP, see Quote Generation, Verification, and Attestation with Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP).
-
For DCAP installation, see Intel® Software Guard Extensions Data Center Attestation Primitives (Intel® SGX DCAP) - A Quick Install Guide.
-
For the Attestation verification service, see Intel® Trust Authority.