[messaging] Encrypted Pulic Contact Discovery

Justin King-Lacroix justin.king-lacroix at cs.ox.ac.uk
Wed Aug 26 13:31:42 PDT 2015

The problem with TC remote attestation is that it only really works in a
corporate context. The reason is: you can't use it on the open Internet,
because of the endorsement/platform credential availability problems I
mentioned before. (I'd be interested to see if the recent trend towards
actually issuing said credentials changes this. I hope so.)
It's also really only good for attestation of the operating system (whether
bootloaded normally or via TXT). The Cylab guys gave up on Flicker -- which
basically embodies the idea of using TXT for non-OS code -- because it
performs far too poorly to be useful. (As you no doubt know, TrustVisor,
the evolution of the Flicker concept, is based around a hypervisor loaded
in this way.)
I do agree, however, that it is quite useful for making such OS-level

SGX is a really big step both because Intel has actually issued the
equivalent of endorsement/platform credentials, so it's usable on the open
Internet, and because it measures user-level code, which is what most
applications of RA actually care about. (In fact, the partial isolation of
the enclave code from the OS means the remote party often doesn't need to
care about what OS is running.)

I'm really not convinced RA is an afterthought for SGX. Intel have been
talking about it from the get-go.


On 26 August 2015 at 17:20, Steve Weis <steveweis at gmail.com> wrote:

> Hi Ben. With respect to getting TXT-based remote attestation working, some
> cases I know of it working are by the NSA, PrivateCore (now Facebook),
> Nebula (specifically Matthew Garrett), and CMU Cylab, which worked on
> Flicker. At PrivateCore, we had TXT working for OpenStack deployments on
> several bare-metal cloud providers like SoftLayer and Rackspace.
> There were also a couple vendors like Hytrust who integrated Intel's Open
> Attestation (OAT). Intel has since released their quintessentially
> corporate-named "Intel Trust Attestation Solution (Enterprise Edition)" aka
> Mt. Wilson, as an OAT successor. IBM/Softlayer is offering TXT "Trusted
> Computing Pools" as a feature now using Intel's software.
> Outside of TXT, Markus Jakobsson's company FatSkunk (now Qualcomm) made
> software-based remote attestation for mobile devices. I've heard of a
> couple other niche cases of people doing software-based attestation.
> With SGX, remote attestation is possible but seems like an afterthought
> right now. My understanding is that Intel expects someone to write an
> attesting enclave that will handle attesting peer enclaves. I don't know of
> any attestation enclave implementation or tooling around it that exists yet.
> Also keep in mind that SGX enclaves are userland code only. If you want to
> attest any privileged code on x86 platforms, TXT is still probably the best
> option.
> On Wed, Aug 26, 2015 at 1:51 AM, Ben Laurie <ben at links.org> wrote:
>> Heh. If anyone had managed to make remote attestation work, that is. That
>> said, it seems like SGX makes it more possible than previous attempts,
>> since (in theory) you only need to attest to the enclave contents. Not 100%
>> sure I believe that yet, though.
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20150826/1cf5cfa5/attachment.html>

More information about the Messaging mailing list