[messaging] Encrypted Pulic Contact Discovery

Steve Weis steveweis at gmail.com
Wed Aug 26 09:20:39 PDT 2015


Hi Ben. With respect to getting TXT-based remote attestation working, some
cases I know of it working are by the NSA, PrivateCore (now Facebook),
Nebula (specifically Matthew Garrett), and CMU Cylab, which worked on
Flicker. At PrivateCore, we had TXT working for OpenStack deployments on
several bare-metal cloud providers like SoftLayer and Rackspace.

There were also a couple vendors like Hytrust who integrated Intel's Open
Attestation (OAT). Intel has since released their quintessentially
corporate-named "Intel Trust Attestation Solution (Enterprise Edition)" aka
Mt. Wilson, as an OAT successor. IBM/Softlayer is offering TXT "Trusted
Computing Pools" as a feature now using Intel's software.

Outside of TXT, Markus Jakobsson's company FatSkunk (now Qualcomm) made
software-based remote attestation for mobile devices. I've heard of a
couple other niche cases of people doing software-based attestation.

With SGX, remote attestation is possible but seems like an afterthought
right now. My understanding is that Intel expects someone to write an
attesting enclave that will handle attesting peer enclaves. I don't know of
any attestation enclave implementation or tooling around it that exists yet.

Also keep in mind that SGX enclaves are userland code only. If you want to
attest any privileged code on x86 platforms, TXT is still probably the best
option.

On Wed, Aug 26, 2015 at 1:51 AM, Ben Laurie <ben at links.org> wrote:

>
> Heh. If anyone had managed to make remote attestation work, that is. That
> said, it seems like SGX makes it more possible than previous attempts,
> since (in theory) you only need to attest to the enclave contents. Not 100%
> sure I believe that yet, though.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150826/0e675733/attachment.html>


More information about the Messaging mailing list