gramine-sgx-ias-verify-report – Verify Intel Attestation Service report¶
Synopsis¶
gramine-sgx-ias-verify-report [OPTION]…
Description¶
gramine-sgx-ias-verify-report verifies attestation report retrieved from the
Intel Attestation Service (using gramine-sgx-ias-request
for example). It
also verifies that the quote contained in the IAS report contains expected
values.
Command line arguments¶
-
-h
,
--help
¶
Display usage.
-
-v
,
--verbose
¶
Print more information.
-
-m
,
--msb
¶
Print/parse hex strings in big-endian order.
-
-r
,
--report-path
¶
IAS report to verify.
-
-s
,
--sig-path
¶
Path to the IAS report’s signature.
-
-n
,
--nonce
¶
Nonce that’s expected in the report (optional).
-
-S
,
--mr-signer
¶
Expected mr_signer field (hex string, optional).
-
-E
,
--mr-enclave
¶
Expected mr_enclave field (hex string, optional).
-
-R
,
--report-data
¶
Expected report_data field (hex string, optional).
-
-P
,
--isv-prod-id
¶
Expected isv_prod_id field (hex string, optional).
-
-V
,
--isv-svn
¶
Expected isv_svn field (hex string, optional).
-
-i
,
--ias-pubkey
¶
Path to IAS public RSA key (PEM format, optional).
-
--allow-debug-enclave
¶
Allow debug enclave (SGXREPORT.ATTRIBUTES.DEBUG = 1).
-
--allow-outdated-tcb
¶
Treat IAS status code GROUP_OUT_OF_DATE as OK.
-
--allow-hw-config-needed
¶
Treat IAS status code CONFIGURATION_NEEDED as OK.
-
--allow-sw-hardening-needed
¶
Treat IAS status code SW_HARDENING_NEEDED as OK.
To treat the IAS status code CONFIGURATION_AND_SW_HARDENING_NEEDED as OK, set
both --allow-hw-config-needed
and
--allow-sw-hardening-needed
options.
Example¶
Report verification with most options enabled:
$ gramine-sgx-ias-verify-report -v -m -r rp -s sp -i ias.pem -n thisisnonce -S 14b284525c45c4f526bf1535d05bd88aa73b9e184464f2d97be3dabc0d187b57 -E 4d69102c40401f40a54eb156601be73fb7605db0601845580f036fd284b7b303 -R 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004ba476e321e12c720000000000000001 -P 0 -V 0
Verbose output enabled
Endianness set to MSB
Using IAS public key from file 'ias.pem'
IAS key: RSA, 2048 bits
Decoded IAS signature size: 256 bytes
IAS report: signature verified correctly
IAS report: nonce OK
IAS report: quote decoded, size 432 bytes
[...quote dump...]
Quote: mr_signer OK
Quote: mr_enclave OK
Quote: isv_prod_id OK
Quote: isv_svn OK
Quote: report_data OK
Quote: enclave attributes OK