gramine-sgx-ias-request – Submit Intel Attestation Service request

Synopsis

gramine-sgx-ias-request COMMAND [OPTION]…

Description

gramine-sgx-ias-request submits requests to Intel Attestation Service (IAS). Possible commands are retrieving EPID signature revocation list and verifying attestation evidence for an SGX enclave quote.

Command line arguments

General options

-h, --help

Display usage.

-v, --verbose

Print more information.

-m, --msb

Print/parse hex strings in big-endian order.

-k, --api-key

IAS API key.

Commands

sigrl

Retrieve signature revocation list for a given EPID group.

Possible sigrl options:

-g, --gid

EPID group id (hex string).

-i, --sigrl-path

Path to save retrieved SigRL to.

-S, --sigrl-url

URL for the IAS SigRL endpoint (optional).

report

Verify attestation evidence (quote).

Possible report options:

-q, --quote-path

Path to quote to submit.

-r, --report-path

Path to save IAS report to.

-s, --sig-path

Path to save IAS report’s signature to.

-n, --nonce

Nonce to use (optional).

-c, --cert-path

Path to save IAS certificate to (optional).

-R, --report-url

URL for the IAS attestation report endpoint (optional).

Examples

SigRL retrieval:

$ gramine-sgx-ias-request sigrl -k $IAS_API_KEY -g ef0a0000 -i sigrl
No SigRL for given EPID group ID ef0a0000

Quote verification:

$ gramine-sgx-ias-request report -k $IAS_API_KEY -q gr.quote -r ias.report -s ias.sig -c ias.cert -v
Verbose output enabled
IAS request:
{"isvEnclaveQuote":"AgABAO8..."}
[...snip curl output...]
IAS response: 200
IAS report saved to: ias.report
IAS report signature saved to: ias.sig
IAS certificate saved to: ias.cert
IAS submission successful

$ cat ias.report
{"id":"205146415611480061439763344693868541328","timestamp":"2020-03-20T10:48:32.353294","version":3,"epidPseudonym":"Itmg0 [...]","isvEnclaveQuoteStatus":"GROUP_OUT_OF_DATE" [...]}