Skip to content

Platform-Based Attestation

Platform-Based attestation can be used in air-gapped environments where there is no connection possible with Intel attestation services. There is not even the possibility of updating the DCAP platform certificates periodically.

During the installation, we will attest and verify the SCONE Quoting Enclaves and the SCONE CAS to ensure that we can trust the enclaves.

Example

We use the simple print-arg-env application to show how to perform platform-based attestation:

cat > print-arg-env.c <<EOF
#include <stdio.h>

extern char **__environ;

int main (int argc, char **argv) {
    printf("argv:");
    for (int i = 0; i < argc; i++) {
        printf(" %s", argv[i]);
    }
    printf("\n");

    char** envp = __environ;
    printf("environ:\n");
    while (*envp != NULL) {
        printf("%s\n", *envp);
        envp++;
    }
    return 42;
}
EOF

We use the function determine_sgx_device to determine the name of the SGX device. We pass the SGX device to the cross-compiler container:

determine_sgx_device
docker run $MOUNT_SGXDEVICE --network=host -it -v `pwd`:/work registry.scontain.com/sconecuratedimages/crosscompilers bash

Inside the container, we first compile the program with the help of the cross-compiler:

scone-gcc /work/print-arg-env.c -g -O3 -o /work/scone-print-arg-env

cd /work

You need to create a file identity.pem with the signer key outside of this container: see Section scone-signer-example for details. After copying identity.pem into the container, we sign the program for production as follows:

scone-signer sign --production scone-print-arg-env -k identity.pem

We determine MRENCLAVE of the program:

export MRENCLAVE=`SCONE_HASH=1 ./scone-print-arg-env`
echo MRENCLAVE of scone-print-arg-env is $MRENCLAVE
````

We assume we have a local CAS that we need to attest first. In this demo, we assume we can initially attest and verify the CAS:   

```bash
export SCONE_CAS_ADDR=172.17.0.1
scone cas attest $SCONE_CAS_ADDR

We need to determine the public keys of the SCONE QEs. We explain in Section Determining the Platform IDs how to determine these in the context of Kubernetes clusters:

export PLATFORM=...

We can now create a SCONE policy that uses the platform-based attestation. We need to declare that we trust the SCONE QEs. Moreover, we only permit the enclave to run on one of the platforms of these trusted QEs:

export PREDECESSOR="~"
export SESSION=secure-arguments-example-$RANDOM-$RANDOM
echo $SESSION

cat > session.yml <<EOF
name: $SESSION
version: 0.3
predecessor: $PREDECESSOR

security:
  attestation:
    trusted_scone_qe_pubkeys: ["$PLATFORM"]

services:
   - name: scone-print-arg-env
     attestation:
       mrenclave: [$MRENCLAVE]
     platforms: [$PLATFORM]
     command: ./scone-print-arg-env arg1 arg2 arg3
     environment:
        SCONE_MODE: hw
        SCONE_LOG: ERROR
        env1: running
        env2: in
        env3: env3
     pwd: /
EOF
export SCONE_LAS_ADDR=172.17.0.1
export PREDECESSOR=$(scone session create session.yml)

We can now execute the program as follows:

SCONE_CONFIG_ID=$SESSION/scone-print-arg-env ./scone-print-arg-env

The output would look as follows:

argv: ./scone-print-arg-env arg1 arg2 arg3
environ:
env1=running
env2=in
SCONE_MODE=hw
SCONE_LOG=ERROR
env3=enclave