gramine-sgx-ias-request – Submit Intel Attestation Service request¶
Synopsis¶
gramine-sgx-ias-request COMMAND [OPTION]…
Description¶
gramine-sgx-ias-request submits requests to Intel Attestation Service (IAS). Possible commands are retrieving EPID signature revocation list and verifying attestation evidence for an SGX enclave quote.
Command line arguments¶
General options¶
-
-h
,
--help
¶
Display usage.
-
-v
,
--verbose
¶
Print more information.
-
-m
,
--msb
¶
Print/parse hex strings in big-endian order.
-
-k
,
--api-key
¶
IAS API key.
Commands¶
-
sigrl
¶
Retrieve signature revocation list for a given EPID group.
Possible
sigrl
options:-
-g
,
--gid
¶
EPID group id (hex string).
-
-i
,
--sigrl-path
¶
Path to save retrieved SigRL to.
-
-S
,
--sigrl-url
¶
URL for the IAS SigRL endpoint (optional).
-
-
report
¶
Verify attestation evidence (quote).
Possible
report
options:-
-q
,
--quote-path
¶
Path to quote to submit.
-
-r
,
--report-path
¶
Path to save IAS report to.
-
-s
,
--sig-path
¶
Path to save IAS report’s signature to.
-
-n
,
--nonce
¶
Nonce to use (optional).
-
-c
,
--cert-path
¶
Path to save IAS certificate to (optional).
-
-R
,
--report-url
¶
URL for the IAS attestation report endpoint (optional).
-
Examples¶
SigRL retrieval:
$ gramine-sgx-ias-request sigrl -k $IAS_API_KEY -g ef0a0000 -i sigrl
No SigRL for given EPID group ID ef0a0000
Quote verification:
$ gramine-sgx-ias-request report -k $IAS_API_KEY -q gr.quote -r ias.report -s ias.sig -c ias.cert -v
Verbose output enabled
IAS request:
{"isvEnclaveQuote":"AgABAO8..."}
[...snip curl output...]
IAS response: 200
IAS report saved to: ias.report
IAS report signature saved to: ias.sig
IAS certificate saved to: ias.cert
IAS submission successful
$ cat ias.report
{"id":"205146415611480061439763344693868541328","timestamp":"2020-03-20T10:48:32.353294","version":3,"epidPseudonym":"Itmg0 [...]","isvEnclaveQuoteStatus":"GROUP_OUT_OF_DATE" [...]}