ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-01-01 02:36:44 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
83d6a248a8
corda/sgx-jvm/remote-attestation/README.md

46 lines
1.6 KiB
Markdown
Raw Normal View History

ENT-970 - SGX remote attestation host (#173) * ENT-970 - SGX remote attestation host * Remote attestation enclave * Client for the remote attestation host * Communicates with ISV / RA server, which in turn communicates with the Intel Attestation Service * Native library bridging the client code running on the JVM with the native bits controlling and communicating with the enclave * ENT-970 - Address comments from code review * ENT-970 - More updates addressing review comments * ENT-970 - Integrate with root Gradle project for SGX
2017-12-13 17:45:33 +00:00
# Remote Attestation
## Project Organisation
* **Enclave**
The enclave (`enclave/`) is responsible for initialising and coordinating
the remote attestation process from the client side, and will eventually
operate on a secret provisioned from the challenger (once successfully
attested by Intel's Attestation Service).
* **Host**
The host JVM (`host/`) is running in an untrusted environment and
facilitates the communication between the challenger and its enclave.
To coordinate with the enclave, the host uses a native JNI library (in
`host/native/`)
* **Challenger**
The challenger JVM does not require SGX-enabled hardware and is essentially
the party asking the host to prove that it has spun up a program in an
enclave on trusted hardware (that cannot be tampered with), so that
consequently, it can provision an encrypted secret to said enclave.
* **IAS Proxy**
The proxy is responsible for talking to the Intel Attestation Service over
mutual TLS to verify attestation evidence received from the host. The proxy
needs a client certificate and a service provider identifier (SPID) issued
by Intel. In turn, it will forward any received proof from Intel to the
host and challenger, making it possible for the challenger to trust the
host and thus provision the secret. The proof is signed with Intel's root
certificate.
## Getting Started
To get started, run the following commands in `sgx-jvm`:
```bash
> source environment
> sx help
```
Further documentation is available in `sgx-jvm/tools/sx/README.md`.
Reference in New Issue Copy Permalink