Interfaces between SGX SDKs and the Azure Attestation SGX Certification Cache.
Перейти к файлу
FranciscoJavierOrtegaPalacios a9af7b4656
Update build pipeline to auth with OpenId and use actions with Node.js 20 (#198)
Updated build pipeline to auth with azure using OpenID.
Updated github actions in the build pipeline to use Node.js 20.
2024-06-11 13:48:08 +01:00
.config remove nuget install 2020-08-05 14:44:43 -07:00
.github Update build pipeline to auth with OpenId and use actions with Node.js 20 (#198) 2024-06-11 13:48:08 +01:00
.jenkins Updating the return code for windows in case curl errors out and adding test cases for the same. (#159) 2022-07-07 09:42:36 -07:00
.pipelines fixed cdpx official build error 2020-09-14 16:44:48 -07:00
build Create codeql.yml (#188) 2023-08-01 10:57:23 -07:00
src Enable tls13 (#195) 2024-01-03 15:16:22 +05:30
.gitignore Added V2 Support (#89) 2020-02-24 20:01:29 -08:00
LICENSE Initial commit 2018-09-11 15:45:38 -07:00
README.md Getting certificate from host agent. (#155) 2022-01-21 10:20:29 -08:00
SECURITY.md Microsoft mandatory file 2023-06-02 18:32:01 +00:00

README.md

Azure Data Center Attestation Primitives (DCAP) Client

This library serves as a quoting data provider plugin for the Intel SGX Data Center Attestation Primitives (DCAP). Specifically, the Intel DCAP library will search out and load provider plugins, such as the Azure DCAP Client. This provider plugin is then used to fetch certain data files, such as platform certificates, TCB structures, and revocation lists.

The Azure DCAP Client fetches artifacts from an Azure-internal caching service. The purpose of this cache is to ensure that all Azure hosts always have the correct data available and local within the Azure cloud.

The data serviced by the Azure cache are all Intel-originating, and are rooted to Intel CAs. The cache serves simply to ensure that there are no external dependencies on Intel for workloads running on Azure infrastructure.

Building

Linux

See src/Linux/README.MD.

Windows

See src/Windows/README.MD.

Implementation

The library builds the full URL of the artifacts served by the Azure-internal caching service from the parameters passed to the sgx_ql_get_revocation_info_t and sgx_get_qe_identity_info_t API calls.

For the certificate chain associated with an Intel SGX quote, each CRL Distribution Point is wrapped into an Azure-specific URL before being fetched by the Azure-DCAP-Client library. For example, the well-known Intel SGX Root CA CRL endpoint (https://certificates.trustedservices.intel.com/IntelSGXRootCA.crl) is served by the Azure-internal caching service at: https://global.acccache.azure.net/sgx/certificates/pckcrl?uri=https://certificates.trustedservices.intel.com/IntelSGXRootCA.crl&api-version=API_VERSION (where API_VERSION specifies the current API version).

Configuration

The Azure-DCAP-Client library uses the following environment variables if set:

  • AZDCAP_CACHE - Represents the base directory where the library cache directory .az-dcap-client is created. The default value is $HOME in Linux and LocalLow in Windows.
  • AZDCAP_BASE_CERT_URL and AZDCAP_CLIENT_ID - Used in conjunction to explicitly overwrite the default values for the PCK caching service. These should be used only for development purposes and they must not be used in any production environment.
  • AZDCAP_COLLATERAL_VERSION - Used to specify the collateral version requested from the PCK caching service. Must be either'v1' or 'v2' if specified and defaults to 'v1' if unspecified.
  • AZDCAP_DEBUG_LOG_LEVEL - Used to enable logging to stdout for debug purposes. Supported values are INFO, WARNING, and ERROR; any other values will fail silently. If a logging callback is set by the caller such as open enclave this setting will be ignored as the logging callback will have precedence. Log levels follow standard behavior: INFO logs everything, WARNING logs warnings and errors, and ERROR logs only errors. Default setting has logging off. These capatalized values are represented internally as strings.
  • AZDCAP_PRIMARY_BASE_CERT_URL and AZDCAP_SECONDARY_BASE_CERT_URL - Used in conjunction to explicitly overwrite the default values of endpoints to fetch certificates. These should be used only for development purposes and they must not be used in any production environment.
  • AZDCAP_BYPASS_BASE_URL- Used in conjunction to explicitly fetch certificates from PCK caching service instead of the host agent. This should be used only for development purposes and must not be used in any production environment.

See Also

  1. Open Enclave, a cross-platform library for authoring enclaves.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Formatting

Prior to submitting pull requests, please run clang-format -i on your sources to ensure consistent styling with the rules contained in src/.clang-format.