ego
ego copied to clipboard
edgelesssys
PCCS and EGO
I just wanted to make sure my understanding of EGO is correct, and I thank everyone out there in advance for helping me understand it.
I understand that EGO remote attestation uses DCAP remote attestation rather than EPID. How does the QUOTE sign in EGO? I couldn't find a reference to quoting enclave that signs the REPORT generated by enclave. I came across PCCS but am not sure how it provides this service. Is it true that AZURE DCAP client is used both for QE and certificate caching system?
If so, which examples are using AZURE DCAP? There are three samples:
- Attested TLS
- Remote Attestation
- Azure Attestation
EGo's remote attestation is based on Open Enclave's. OE uses Intel's libraries for DCAP attestation, which provide the required architecture enclaves like QE.
The PCCS caches several artifacts from Intel's Provisioning Certification Service (PCS) like certificates.
See https://download.01.org/intel-sgx/sgx-dcap/1.12.1/linux/docs/DCAP_ECDSA_Orientation.pdf on how these components work together.
EGo needs a quote provider to connect to the PCCS. This can either be the Azure DCAP client or Intel's default quote provider. See https://docs.edgeless.systems/ego/#/reference/attest for details.
The Attested TLS and Remote attestation samples can be used with either of the quote providers. Both the attester and the verifier must install it.
The Azure attestation sample should be used with the Azure DCAP client. The attester needs to install it, but the verifier needs not to.
