[do_not_redeem]

> Build the code we published, get the fingerprint it produces, ask a VP.NET server for the fingerprint it reports, and compare the two. If they match, the server is running the exact code you inspected. No trust required.

Okay, maybe I'm being thick, but... when I get a response from your server, how do I know it's actually running inside the enclave, and not an ordinary process sending a hardcoded expected fingerprint?

[MagicalTux]

Intel SGX comes with an attestation process aiming at exactly that. The attestation contains a number of details, such as the hardware configuration (cpu microcode version, BIOS, etc) and the hash of the enclave code. At system startup the CPU gets a certificate from Intel confirming the configuration is known safe, which is used by the CPU to in turn certify the enclave is indeed running code with a given fingerprint.

When the connection is established we verify the whole certificate chain up to Intel, and we verify the TLS connection itself is part of the attestation (public key is attested).

[rasengan]

> how do I know it's actually running inside the enclave, and not an ordinary process sending a hardcoded expected fingerprint?

It's signed by Intel and thus, guaranteed to come from the enclave!

[greyface-]

An Intel signature does not guarantee that it came from the enclave. It guarantees that it came from something blessed by Intel. To conclude that it must have come from an unmodified enclave requires trust in Intel and the integrity of their signing process. This is inconsistent with "no trust required".

What if, for example, a three-letter agency seized keys from Intel, served them with a gag order to prohibit disclosure of the seizure, put themselves in the middle of the network path between you and the user, and modified the server software to send falsified signatures derived from those seized keys?