Remote Attestation: Your X-ray vision into an enclave

June 14, 2021

By: Ashutosh Meher, Developer Evangelist at R3


Confidential Computing can prove to be a game-changer in enabling multi-party computation without getting into the risk of data leakage or tampering. It would allow multiple enterprises to share confidential information and run various algorithms on it without the risk of their data being seen by each other.

If you are new to Confidential Computing or Conclave, consider taking a look at this article for a brief introduction.

Confidential Computing could lead to huge benefits in various fields—for instance, we can now develop better machine learning models—because of the availability of bigger datasets which was earlier not possible because of the risk of the data being compromised when shared between organizations.

It all comes down to sharing your confidential data with an enclave, where it would be processed and the result would be returned back. All well and good, but how would you know that the enclave in question is really authentic?

Remote Attestation

Remote attestation is that piece of information that helps us to identify the authenticity of an enclave. It is a special data structure that contains the following information:

  • Information indicating that a genuine Intel CPU is running
  • The public key of the enclave
  • A code hash called the measurement
  • Information indicating whether the computer is up-to-date and configured correctly

The most important piece of information that we are interested in here is the measurement. It is a complex hash of the entire module along with its dependencies that is loaded onto the enclave.

Every time a client wants to connect to an enclave and send confidential information for processing, it must first check the remote attestation of the enclave and verify the authenticity of the enclave by comparing the measurement. The remote attestation can be requested from the host.

Below is an example of remote attestation received from the host for an enclave running in simulation mode:

Remote attestation for enclave DB2AF8DD327D18965D50932E08BE4CB663436162CB7641269A4E611FC0956C5F:
— Mode: SIMULATION
— Code signing key hash: 80A866679B567D6B27F5EF9044C13CCB057E761AB8400AD09CC8D70208579611
— Public signing key: 302A300506032B657003210052C7DFDE99D81DF7FF05A2EBED5F8E25FC659A203FAFCA5B07B18CFFD3C5915E
— Public encryption key: F3F02623B55E908C556CE17A13DF385BA621E5D5BCDCDEA8E92E30D4397E0404
— Product ID: 1
— Revocation level: 0
Assessed security level at 2021-05-10T10:09:08.107702Z is INSECURE
– Enclave is running in simulation mode.

Conclave was developed so that any two builds on the same source code should always produce the same measurement. Thus developers can either generate the measurement themselves or rely on a trusted third-party service provider to provide the measurement of the enclave.

Since any update to the source code would change the measurement, it is guaranteed that the enclave does exactly what it says does.

A note on upgrade

It’s pretty evident that any upgrade to the enclave code would result in a change in measurement. This would result in failure since the client would not identify the enclave anymore. A potential solution is to maintain a whitelist of acceptable hashes.

Alternatively, a signing key could be used and as long as the enclave is signed with the key, it could be deemed as authentic.

Want to learn more?

Here are some helpful resources to learn more about Conclave and Confidential Computing.