Alpine quote generation (dcap) possible?

[nmwael]

Hi I've been looking at the support for alpine, and can't really see if the current state has dcap/ quote generation support..

In our case Gramine will run in a alpine container, with ubuntu on the host providing DCAP through AESM.

the current build does not seem to have enabled DCAP:
https://github.com/gramineproject/gramine/blob/master/packaging/alpine/APKBUILD#L54

But that could just be because it cannot run purely on alpine?

[dimakuv]

Hi I've been looking at the support for alpine, and can't really see if the current state has dcap/ quote generation support..

If you care only about SGX quote generation, then this should work on Gramine + Alpine. That's because generation of SGX quotes uses purely the AESM daemon (on the host), and nothing else.

However, if you also want to perform SGX quote verification, then this won't work on Alpine. This is because verification of SGX quotes is a complex process, and Gramine outsources this process to the Intel SGX DCAP verification library called libsgx_dcap_quoteverify.so. This Intel SGX DCAP verification library is part of the Intel SGX PSW/DCAP packages, and those packages are not currently available for Alpine (see supported distros here: https://github.com/intel/linux-sgx?tab=readme-ov-file#install-the-intelr-sgx-psw-1).

Please also see the related discussion: #1498

[nmwael]

thanks Dmitrii, that should actually be ok. We are doing our own secondary attestation anyhow pulling the quote via /dev/attestation/quote I guess that will still work?

I did test it once setting sgx.remote_attestation=none (https://gramine.readthedocs.io/en/stable/manifest-syntax.html#attestation-and-quotes) which failed since /dev/attestation/quote was not populated..

[dimakuv]

We are doing our own secondary attestation anyhow pulling the quote via /dev/attestation/quote I guess that will still work?

Yes, that should work even under Alpine.

I did test it once setting sgx.remote_attestation=none (https://gramine.readthedocs.io/en/stable/manifest-syntax.html#attestation-and-quotes) which failed since /dev/attestation/quote was not populated..

Yes, you need to have sgx.remote_attestation = "dcap".

[nmwael]

But setting sgx.remote_attestation = "dcap", wont that make Gramine try todo a Quote generation and Quote verification on startup?

[dimakuv]

But setting sgx.remote_attestation = "dcap", wont that make Gramine try todo a Quote generation and Quote verification on startup?

No.

Also, what do you mean by "do Quote verification on startup"? Verification is supposed to be done by a trusted third party (who obtains the quote generated by Gramine via a network typically). If Gramine generates a quote and then verifies this quote itself, there is no security.

[nmwael]

I got things mixed up.. Plus my test were wrong, I tested without any QPL available. Again thanks!