Getting Intel Attestation Service Credentials

The Intel Attestation Service (IAS) credentials allow node operators to register with Intel as Licensed Enclave operators. This credential links the operator identity with the node’s attestation evidence provided to other nodes.

Step 1: Apply for and obtain an Intel License Agreement to run MobileCoin. Please see: Partner Intel License Agreement.

Approval can take up to two weeks.

Step 2: Once your request is approved and the license issued (confirmed via email), you can create your account at the Intel Trusted Portal using the email associated with your Partner Intel License Agreement.

Step 3: Once you log in at the Trusted Portal, this landing page displays. Click on the Intel SGX Attestation Service link to create an EPID subscription.

Step 4: After you select the Intel Attestation Service, click on the Subscribe Linkable blue button (under the Production Access section.)

Step 5: Manage your Subscriptions: Click on your username and select Manage Subscriptions to see existing subscriptions. The values of the environment variables are available in this section, as mentioned in Step 6, which are required for the consensus service on start-up.

On this page, you also can navigate to the Analytics Reports, as shown here, of your attestation requests by clicking on the Analytics reports button.

Step 6: Running the Consensus Server with attestation credentials: Provide the following environment variables when running the consensus service:



The value of both of these values can be found on the Manage Subscriptions [add a bookmark] page, under your PROD subscription. You can use either the primary or secondary IAS_API_KEY interchangeably.

You also will need to provide the following environment variables in order to get a successful attestation result:



Step 7: Verifying attestation results: On start-up, your consensus validator node will attest to the Intel Attestation Service (IAS).

The following example log output contains measurement values:

2020-09-23 14:08:31.155881673 UTC INFO Measurements: MrEnclave: 
49f3e9e5fbb268ea00c78557fb1bd4efa133555a45de2ea30d3fee04443c79af MrSigner:
bf7fa957a6a94acb588851bc8767e0ca57706c79f4fc2aa6bcb993012c3c386c, mc.enclave_type:
mc_consensus_enclave::ConsensusServiceSgxEnclave, mc.local_node_id:, consensus-service, mc.local_node_id:, mc.module: mc_sgx_report_cache_untrusted, mc.src:

If your attestation fails, the consensus service will crash.

You can see the output of the attestation, if your log level is set to debug, via setting the environment variable RUST_LOG=debug.

The attestation output looks like the following for a SW_HARDENING_NEEDED response:

2020-09-23 14:08:31.155812272 UTC DEBG Quote verified by remote attestation service// Some code
VerificationReport { sig: VerificationSignature([...]), chain: [[...]], http_body:
rISY1aKIMRzJMqixbn\"}" }..., mc.enclave_type: 
mc_consensus_enclave::ConsensusServiceSgxEnclave, mc.local_node_id:, consensus-service, mc.local_node_id:, mc.module: mc_sgx_report_cache_untrusted, mc.src:

Last updated