⚙️
Morphisms: Confidential Serverless Containers
  • Introduction
  • Preliminaries
    • What is Confidential Computing?
      • Threat Model
      • Intel SGX
        • Threat Model
        • Memory Layout
        • Memory encryption
        • Enclave Lifecycle
        • Entering and Exiting an Enclave
        • Measurement
        • Certificate
        • Key Derivation
        • Attestation
        • Gramine
        • SGX2
        • Secret Key Provisioning
      • AMD SEV-SNP
        • Encrypted CPU Registers
        • Memory encryption
        • Secure Nested Paging
        • Virtual Machine Privilege Levels (VMPL's)
        • Cryptographic Keys
        • Secret Key Provisioning
        • Guest Deployment
    • Serverless (FaaS)
      • Knative
  • Confidential Serverless Containers
    • Introduction
    • Intel SGX
      • Threat Model
      • Remote attestation verification
      • Secure Storage
        • HashiCorp's Vault
      • Architecture
        • Confidential Knative
        • Certificates
        • Session Management
      • Confidential Container Configuration
    • AMD SEV-SNP
      • Threat Model
      • Architecture
        • Network communication
        • KMS
        • Updates
        • Key rotation
      • Design Decision
  • Benchmarks
    • Hardware
    • Results
    • Architecture Comparison
  • Getting Started
    • FAQ
    • Intel SGX
    • AMD SEV-SNP
  • Glossary
    • SGX Glossary
    • AMD SEV-SNP Glossary
Powered by GitBook
On this page
  1. Preliminaries
  2. What is Confidential Computing?
  3. Intel SGX

Key Derivation

A secure offline facility at Intel randomly generates the Root Provisioning Key (RPK) in a dedicated Hardware Security Module and integrates it into the processor's fuses. Intel stores all RPK's in secure databases. Keys derived from this secret are included in certificate signing requests, allowing Intel to verify that the requestor is indeed an Intel CPU by deriving the same key using the stored secret. This ensures that valid certificates are only issued to Intel SGX capable CPUs, because only the Intel CPU is able to derive the secrets for it. Another key generated in production inside the actual CPU is called the Root Sealing Key (RSK), from which most key derivations are made. The RSK is not known to Intel.

For key derivation, a special instruction called EGETKEY is introduced. Here is a table of all inputs to the KDF (see the table below}).

KEYNAME

Key type (Report Key, Seal key ...)

IDENTITY

MRCENCLAVE OR MRSIGNER

ISVSVN

The enclave's SVN

ATTRIBUTES

selected attributes of the enclave (DEBUG and INIT are always included for security reasons)

KEYID

256 random bits

OWNEREPOCH

128 randomly generated bits specifying the current CPU owner

Everything that is trusted in SGX is part of its Trusted Computing Base, including Hardware, software and firmware. Each component is assigned a security version number (SVN) to identify its current version, which is incremented during security updates. The KEYNAME in the request identifies its use, the IDENTITY specifies whether MRENCLAVE or MRSIGNER should be used (which is retrieved from SECS), the ISVSVN and CPUSVN bind the key to the SVNs, the attributes define the attributes which should be included, but always including DEBUG since debugging enclaves can leak secrets, the KeyID is a 256-bit random byte string for key collection generation, and finally OWNEREPOCH is a 128-bit string identifying the current CPU owner. Note that the key request will be denied if the specified SVNs are higher than the actual SVNs. The OWNEREPOCH is randomly generated and resides in an SGX configuration register. If the owner of the CPU changes, the OWNEREPOCH can be cleared beforehand so that the new owner does not derive the same keys. The same input will always have the same output in the KDF. Thus, the generated key preserves CPU power cycles.

PreviousCertificateNextAttestation

Last updated 1 year ago