Summary
3rd Gen Intel® Xeon® Scalable Processors support only Elliptic Curve Digital Signature Algorithm (ECDSA) Attestation; thus, Intel® Software Guard Extensions (Intel® SGX) Attestation Service Utilizing Enhanced Privacy ID (EPID) cannot verify their quotes.
Description
Unable to determine if Intel® SGX Attestation Service can be used to attest platforms that support only ECDSA-based attestation.
Resolution
- Intel® SGX Attestation Service can be used only for EPID-based attestation.
- 3rd Gen Intel® Xeon® Scalable Processors do not support EPID, so you cannot use Intel® SGX Attestation Service to attest 3rd Gen Intel® Xeon® Scalable Processors.
- 3rd Gen Intel® Xeon® Scalable Processors have Flexible Launch Control so their quotes must be verified with Intel® SGX DCAP ECDSA attestation.
- Intel® Xeon® E-series 2200 and 2300 processors have FLC and EPID-support so they can be attested by a third party using Intel® SGX DCAP ECDSA attestation or Intel® SGX Attestation Service and EPID.
Additional information
- Flexible Launch Control enables third parties to use Data Center Attestation Primitives (DCAP) to build an ECDSA-based attestation environment. The relying party verifies the Intel® SGX platform using the DCAP Quote Verification Library.
- For ECDSA-based attestation, the Intel Provisioning Certification Service provides Platform Certification Key (PCK) certificates, Trusted Compute Base (TCB) info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.
- The Intel DCAP Product Brief explains how all these pieces fit together.