This sample shows how to do remote attestation of a EGo enclave. It consists of a server running in the enclave and a client that attests the server before sending a secret.
Note: This sample only works on SGX-FLC systems with a quote provider installed.
The server generates a self-signed certificate and a report for remote attestation using GetRemoteReport() that includes the certificate's hash. It thereby binds the certificate to the enclave's identity.
The server runs HTTPS and serves the following:
/certmakes the TLS certificate explicitly available on the HTTP layer (for simplicity for this sample)./reportreturns the remote report./secretreceives the secret via a query parameter nameds.
The client first gets the certificate and the report, skipping TLS certificate verification. Then it verifies the certificate using the report via VerifyRemoteReport(). From there on it can establish a secure connection to the enclave server and send its secret.
Some error handling in this sample is omitted for brevity.
The server can be built and run as follows:
ego-go build
ego sign server
ego run serverThe client can be built either using ego-go or a recent Go compiler:
CGO_CFLAGS=-I/opt/ego/include CGO_LDFLAGS=-L/opt/ego/lib go build ra_client/client.goOr if using the EGo snap:
EGOPATH=/snap/ego-dev/current/opt/ego CGO_CFLAGS=-I$EGOPATH/include CGO_LDFLAGS=-L$EGOPATH/lib go build ra_client/client.goThe client expects the signer ID (MRSIGNER) as an argument. The signer ID can be derived from the signer's public key using ego signerid:
./client -s `ego signerid public.pem`