What is Application Whitelisting in Fortanix Confidential Computing Manager?

Fortanix Confidential Computing Manager (CCM) can whitelist EnclaveOS and ACI applications.

  1. For enclave related properties of the application are included for the application while whitelisting:
    1. For SGX application: This includes the identity or hash of the enclave (MRENCLAVE), the identity of the signer of the enclave (MRSIGNER), product identifier (ISVPRODID), security version number (ISVSVN).
    2. For Nitro application: This includes an uninterrupted assessment of the contents within the image file, excluding the section data represented as a hexadecimal string (platform configuration registers - PCR0), a seamless evaluation of the kernel and boot root filesystem (PCR1) and a sequential, in-order evaluation of the user applications, excluding the boot root filesystem (PCR2).
  2. For ACI applications, during the whitelisting process, it is the base64-encoded output from the Azure Confidential Computing ACI Policy Generation tool.

When the enclave runs and presents its attestation to the Fortanix CCM, all of these values are included in the attestation report, which can be used by the Fortanix CCM to determine whether to accept the attestation.

For more details on how to whitelist an application using Fortanix CCM, refer to the article: User's Guide: Tasks

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful