On Wed, Feb 05, 2020 at 09:54:31AM -0800, Randy Dunlap wrote: > Hi, > I have some Documentation edits. Please see inline below... > > or just: ``grep sgx /proc/cpuinfo Makes sense. > > +key set into MSRs, which would then generate launch tokens for other enclaves. > > +This would only make sense with read-only MSRs, and thus the option has been > > +discluded. > > I can't find "discluded" in a dictionary. Should be "discarded". > "MAC" can mean a lots of different things. Which one is this? Message authentication code. I open I rewrote the whole local attestation section: "In local attestation an enclave creates a **REPORT** data structure with **ENCLS[EREPORT]**, which describes the origin of an enclave. In particular, it contains a AES-CMAC of the enclave contents signed with a report key unique to each processor. All enclaves have access to this key. This mechanism can also be used in addition as a communication channel as the **REPORT** data structure includes a 64-byte field for variable information." > > +* ECDSA based scheme, which 3rd party to act as an attestation service. > > which uses a 3rd party > or > using a 3rd party It should be "allows a 3rd party". > > +Intel provides an open source *quoting enclave (QE)* and *provisioning > > +certification enclave (PCE)* for the ECDSA based scheme. The latter acts as > > +the CA for the local QE's. Intel also a precompiled binary version of the PCE > > also provides [??] I rewrote it as: "Intel provides a proprietary binary version of the PCE. This is a necessity when the software needs to prove to be running inside a legit enclave on real hardware." Thank you for the comments. /Jarkko
