gramine-sgx-ias-verify-report – Verify Intel Attestation Service report


gramine-sgx-ias-verify-report [OPTION]…


gramine-sgx-ias-verify-report verifies attestation report retrieved from the Intel Attestation Service (using gramine-sgx-ias-request for example). It also verifies that the quote contained in the IAS report contains expected values.

Command line arguments

-h, --help

Display usage.

-v, --verbose

Print more information.

-m, --msb

Print/parse hex strings in big-endian order.

-r, --report-path

IAS report to verify.

-s, --sig-path

Path to the IAS report’s signature.

-o, --allow-outdated-tcb

Treat IAS status GROUP_OUT_OF_DATE as OK.

-d, --allow-debug-enclave

Allow debug enclave (SGXREPORT.ATTRIBUTES.DEBUG = 1).

-n, --nonce

Nonce that’s expected in the report (optional).

-S, --mr-signer

Expected mr_signer field (hex string, optional).

-E, --mr-enclave

Expected mr_enclave field (hex string, optional).

-R, --report-data

Expected report_data field (hex string, optional).

-P, --isv-prod-id

Expected isv_prod_id field (hex string, optional).

-V, --isv-svn

Expected isv_svn field (hex string, optional).

-i, --ias-pubkey

Path to IAS public RSA key (PEM format, optional).


Report verification with all options enabled:

$ gramine-sgx-ias-verify-report -v -m -r rp -s sp -i ias.pem -o -d -n thisisnonce -S 14b284525c45c4f526bf1535d05bd88aa73b9e184464f2d97be3dabc0d187b57 -E 4d69102c40401f40a54eb156601be73fb7605db0601845580f036fd284b7b303 -R 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004ba476e321e12c720000000000000001 -P 0 -V 0
Verbose output enabled
Endianness set to MSB
Using IAS public key from file 'ias.pem'
IAS key: RSA, 2048 bits
Decoded IAS signature size: 256 bytes
IAS report: signature verified correctly
IAS report: allowing quote status GROUP_OUT_OF_DATE
IAS report: nonce OK
IAS report: quote decoded, size 432 bytes
[...quote dump...]
Quote: mr_signer OK
Quote: mr_enclave OK
Quote: isv_prod_id OK
Quote: isv_svn OK
Quote: report_data OK
Quote: enclave attributes OK