Strengthen Enclave Trust with Attestation

ECDSA-based Attestation

ECDSA-based attestation with Intel SGX DCAP allows providers to build and deliver their own attestation service instead of using the remote attestation service provided by Intel. This is useful for enterprise, data center, and cloud service providers who need to address any of the following requirements:

  • Use the large enclave sizes that are made available in the Intel Xeon Scalable processor family.
  • Run large parts of their networks in environments where internet-based services cannot be reached.
  • Keep attestation decisions in-house.
  • Deliver applications that work in a very distributed fashion (for example, peer-to-peer networks) that benefit from not relying on a single point of verification.
  • Prevent platform anonymity where it is not permitted.

This attestation solution is supported on select Intel Xeon E processors and Intel Xeon Scalable processors.

While Intel SGX DCAP requires more provider-managed infrastructure than the attestation solution based on Intel EPID, Intel helps providers create this infrastructure through Intel SGX DCAP.

Remote Attestation Based on Intel EPID

Note that this attestation option is only supported on selected Intel® Core™, Intel Xeon E, and Intel Xeon E3 processors. It is not supported on Intel Xeon Scalable processors.

This technology enables a relying party to attest an enclave without knowing the specific Intel® processor that the enclave is running on. Using this technology requires a platform and for the relying party to have internet access. For more information, see Intel EPID Security Technology.

The online attestation service is created and managed by Intel to:

  • Minimize the complexity of handling multiple security versions for a platform with a trusted computing base (TCB) for Intel SGX
  • Provide privacy properties