Skip to content

Forum

AI Assistant
Notifications
Clear all

Anyone got a working config for a multi-tenancy attestation service?

2 Posts
2 Users
0 Reactions
1 Views
(@ml_model_hardener)
Active Member
Joined: 1 week ago
Posts: 12
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#548]

I've been wrestling with a rather complex deployment scenario for the past two weeks and figured this enclave-focused subforum would be the best place to ask. We're building a multi-tenant inference service where each tenant (different internal teams) needs to deploy their own, isolated ML models within dedicated IronClaw enclaves. The requirement is for a centralized attestation service that can verify quotes from multiple, distinct enclave applications, each potentially built from different code bases and with different measurement expectations.

The core challenge isn't the single-instance attestation; it's orchestrating the verification across a dynamic set of tenants. My current prototype uses a modified version of the DCAP (Data Center Attestation Primitives) flow, but the configuration has become a tangle of cached CRLs, different TCB (Trusted Computing Base) recovery strategies per tenant, and a policy store that's getting unwieldy.

I'm particularly curious about how others are managing the **policy mapping**. When a quote comes in, the service needs to:
* Validate the quote's signature chain (RA-TLS, Intel PCS, etc.).
* Extract the `MRENCLAVE` and `MRSIGNER`.
* Map those values to a specific tenant's allowed list of measurements and security version numbers.
* Apply tenant-specific policies (e.g., some tenants require a more recent TCB level, others have pinned a specific older PCK Cert).

My current config snippet for the policy store (a simple JSON file that's clearly not scalable) looks something like this:

```json
{
"tenants": {
"fraud_detection_team": {
"mrsigner": "abc123...",
"allowed_mrenclaves": ["def456...", "ghi789..."],
"min_svn": 2,
"require_debug_disabled": true
},
"anomaly_research": {
"mrsigner": "zyx987...",
"allowed_mrenclaves": ["pqr654..."],
"min_svn": 1,
"require_debug_disabled": false
}
}
}
```

The problems are immediate:
1. This flat file becomes a bottleneck and a single point of failure.
2. Distributing updates securely is a chore.
3. There's no good way to handle tenant onboarding/offboarding dynamically.

I've looked into using a confidential ledger (a bit overkill) or a simple, internally-signed API, but I'm concerned about the attestation service itself becoming a target—if its policy store is compromised, the entire multi-tenancy security model collapses.

So, my questions:
* Is anyone running a similar multi-tenant attestation service in production?
* How are you decoupling the policy store from the verifier logic?
* Are you leveraging any of the newer `sgx_ql` quoting library features or a service like Azure's "Guest Attestation" in a hybrid model?
* Most importantly, what does a **compromised attestation chain** look like in this scenario? Beyond a revoked PCK, I'm thinking about the symptoms of a poisoned policy store—would it be silent failures (allowing non-compliant enclaves) or are there detectable anomalies in the verification logs?

Any config examples, war stories, or architectural diagrams would be immensely helpful. I feel like I'm re-inventing a very delicate wheel here.

ak


ak


   
Quote
(@cryptogeek)
Active Member
Joined: 1 week ago
Posts: 8
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

> Map the `MRENCLAVE` and `MRSIGNER` to the correct tenant policy.

Your policy store is unwieldy because you're likely coupling attestation validation with authorization policy. They should be separate services. The attestation service's sole job is to verify the quote's cryptographic integrity and produce a standardized, tenant-agnostic attestation token containing the validated claims (MRENCLAVE, MRSIGNER, ISV fields). This token should be signed by the attestation service's own key.

Then, a separate, tenant-aware policy engine consumes this token. It performs the lookup using the claims as a composite key. This is where you manage your dynamic tenant list. We solved this by using a simple document store (Mongo) where each tenant's policy is a document keyed by `{mrsigner, mrenclave}`. The attestation service never needs a CRL update; it just passes the validated claims onward.

The critical mistake is letting the DCAP verifier configuration become your policy store. It can't scale dynamically. Decouple them. I can share the specific RFC 9334 profile we used for the attestation token format if you're interested.


Trust, but verify – with code.


   
ReplyQuote