On Sat, Nov 24, 2018 at 01:24:54PM -0600, Dr. Greg wrote: > On Sat, Nov 24, 2018 at 08:15:21AM -0800, Jarkko Sakkinen wrote: > > > On Tue, Nov 20, 2018 at 05:15:08AM -0600, Dr. Greg wrote: > > > Malware would not necessarily need the Intel attestation service. > > > Once access to the PROVISION bit is available, malware teams could > > > simply build their own attestation service. > > > AFAIK not possible as they wouldn't have access to the root > > provisioning key. Can be confirmed from the SDM's key derivation > > table (41-56). > > What provisioning and attestation is all about is establishing an > identity binding for a platform in question. The standard Intel > service binds the identity of a platform to an EPID private key. > > With access to the SGX_FLAGS_PROVISION_BIT an enclave can generate a > perpetual identity for a platform based on the identity modulus > signature (MRSIGNER) of the key that signs the signature structure of > the enclave. Without access to the root provisioning key a security > quorum or group has to be implemented via a subscription or enrollment > model but that is arguably not much of an obstacle. > > That is pretty much the way standard botware works now. > > Without provisions for cryptographically secure authorization and > policy enforcement in the driver, we will be creating infrastructure > for a new generation of botware/malware whose mothership will know > that a participating platform is running with full confidentiality and > integrity protections. OK, I think I got what you mean. With free access to the provision the bot net controller could be sure that a node is running inside an enclave. Is this what you are worried about? Please correct if not or even if there is a slight drift on what you are trying to state. /Jarkko
