Security
Remote Attestation
Remote attestation enables an enclave to cryptographically prove its identity and integrity to a remote verifier. Key points:
- Enclaves generate a signed quote containing measurements (hashes) of their code and configuration.
- Only quotes signed by a hardware root of trust (e.g., AWS Nitro Security Module) are considered valid.
- The verifier checks the quote against expected measurements to ensure no unauthorized modifications.
- Attestation workflows typically follow:
- Host application sends an attestation request to the enclave.
- Enclave performs measurement, signs the quote, and returns it.
- Host or external verifier validates the signature and measurements.
This process establishes trust before any sensitive data or operations are performed within the enclave.