This is an automated email from the ASF dual-hosted git repository. rduan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-sgx-sdk.git
commit 1b1d03376056321441ef99716aa0888bd5ef19f7 Author: Fanghao Yang <[email protected]> AuthorDate: Mon Dec 4 10:54:43 2023 -0500 Add README and doc strings. --- samplecode/microsoft_azure_attestation/README.md | 33 ++++++++++++++++++++++ .../microsoft_azure_attestation/app/src/main.rs | 4 ++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/samplecode/microsoft_azure_attestation/README.md b/samplecode/microsoft_azure_attestation/README.md new file mode 100644 index 00000000..a659a75c --- /dev/null +++ b/samplecode/microsoft_azure_attestation/README.md @@ -0,0 +1,33 @@ +# Microsoft Azure Attestation Sample + +This sample demonstrate how to use Microsoft Azure Attestation to do a ECDSA remote attestation of a DCAP quote. To simplify the implementation, both quote generation and report verification are included into a single executable file. + +In your real-world applications, the `generate_quote` step shall be in your server backend, which generate a quote of the SGX enclave and contains a piece of custom runtime data (e.g. pubkey for encrypted communications). The sample code inject a static byte array into the enclave but your application shall generate the "runtime data" during the runtime. For example, you can generate a RSA key pair and put the pubkey into the quote and the private key is protected by the enclave. + +The `validate_json_web_token` step shall be in your client-side code to verify the JWT from your server as a remote attestation report. If the JWT is valid, you may use the claims to verify the measurements and use the claim of runtime data for your specific application. [JWT](https://jwt.io/libraries) is supported by almost every mainstream programming languages. The JWT-based RA report can be easily integrated into web applications or Web3 smart contracts without relying on Intel SGX S [...] + +Since the EPID remote attestation will not be available for the 3rd or newer generations of Xeon Scalable Processors, the other remote attestation [sample code](../remoteattestation) cannot be used for newer Intel Xeon Scalable Processors (Icelake or newer). The ECDSA attestation is the only solution with Intel SGX for scalable confidential cloud computing (supporting up to 1TB EPC; [source](https://www.intel.com/content/www/us/en/newsroom/news/xeon-scalable-platform-built-sensitive-work [...] + +# Initial Setup for ECDSA Attestation + +Before you run this sample code, you need to install the [SGX DCAP driver](https://github.com/intel/SGXDataCenterAttestationPrimitives), which is built-in with latest Linux kernel. + +You need to install SGX SDK and all dependent linux packages with this [guide](https://download.01.org/intel-sgx/latest/linux-latest/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf). + +You don't need to setup your own cache server since Azure provides this server internally. Your `PCCS_URL` in your `sgx_default_qcnl.conf` should point to Azure internal cache service "https://global.acccache.azure.net/sgx/certification/v4/";. + +Please use this [link](https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html) as a reference for initial configuration. + +The Microsoft Azure SGX Attestation only works with Microsoft Azure Confidential Computing VM instances. + +# Build and Run + +Like other sample codes, + +``` +$ make +$ cd bin +$ ./maa +``` + +If the remote attestation is successful, you should be able to see the print of all validated JWT clams. diff --git a/samplecode/microsoft_azure_attestation/app/src/main.rs b/samplecode/microsoft_azure_attestation/app/src/main.rs index 98cdcba9..b8dc3de6 100644 --- a/samplecode/microsoft_azure_attestation/app/src/main.rs +++ b/samplecode/microsoft_azure_attestation/app/src/main.rs @@ -297,9 +297,11 @@ fn validate_json_web_token(jwt: String, jwks: JsonWebKeySet) -> jwt::errors::Res } fn main() { + // The runtime data shall be generated by the enclave in the runtime and this static byte array is just for demo purpose. let runtime_data = b"This is some runtime data"; // generate a quote using runtime data let quote = generate_quote(runtime_data).unwrap(); + // This part could be a SGX OCALL and request for a JWT from Azure Attestation let attest_request = AzureSgxAttestationRequest { quote: base64_url::encode("e), runtime_data: SgxRuntimeData::new_binary(runtime_data), @@ -315,7 +317,7 @@ fn main() { .send() .unwrap(); let jwt = res.json::<JwtResponse>().unwrap().token; - // println!("{:?}", jwt); + // The below code could be your client-side code to validate the JWT // get public key from azure attestation let res = client .get(format!("{}/certs", ATTESTATION_PROVIDER_URL)) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
