3

Is it possible to obtaining a licensed developer certificate for signing security-reviewed, community-developed open source SGX software binary in production mode, and publish it on open source repository like apt or rpm?

I just asked Intel SGX team, they said only verified vendors are able to obtain a certificate and run in production mode. It just like Apple’s App Store, no open source code allowed, right?

ruizpauker
  • 384
  • 7
  • 19
Heting Wang
  • 51
  • 4
  • I wouldn't immediately say "it is just like Apple's store"; at least reasons can be numerous and only partially match. It is unclear why you decided that "no open source code allowed" — the source code might be open/free/whatever, it is the binaries that get signed. "Only verified vendors" makes sense for such a sensitive matter as enclaves capable of resisting external attempts of tampering. Instead of taking offense, have you actually tried to show that you are indeed "verified vendor"? – Grigory Rechistov Mar 19 '18 at 20:53

1 Answers1

1

Well, it's possible, but it's a quite complicated task,

You will need to register yourself or your organization as an ISV with Intel, which is not an easy task, i.e. one of the requisites for the Remote Attestation is Mutual TLS, therefore and in order to get it working you need a Certificate which must be publicly available on an URL you control, so trust can be established between Intel and your server.

ruizpauker
  • 384
  • 7
  • 19