Existing attestation schemes require pre-signed enclave images and provide few means of including runtime-dependent configuration data (like report data, enclave held data, configid). In multi-party settings in which the parties may not always fully trust each other, attestation of multiple pieces of code or data images via these means is cumbersome and inefficient. For example, consider the case of a secure cloud service running a JavaScript interpreter, which interprets a third-party script, in which case both, the interpreter and the script, can interfere with each other's attestation evidence as they share an address space. Similarly, a group of users may want to compute a shared result over all of their combined data, but without sharing their data with each other. Attestation in such scenarios is greatly simplified by a technique called Extended Enclave Initialization Data (EEID), which provides a secure and convenient means to combine all required attestation evidence, and to automatically re-sign images (with a well known service key) during enclave startup to ensure that all of the code and data is loaded and attested appropriately. An added benefit is that even single-party applications can use this technique to automatically re-sign enclave images with modified configuration settings (like memory size and thread count), independent of, or in addition to, underlying TEE support for configuration changes. EEID is currently available as an experimental feature for SGX enclaves in the Open Enclave SDK and it is used in multiple prototype services at Microsoft.
Speakers: Christoph M. Wintersteiger