Confidential computing services enable users to run their workloads in Trusted Execution Environments (TEEs) leveraging secure hardware like Intel SGX, and verify them by performing remote attestation. This process offers necessary proof for the integrity of users' software and the authenticity of the hardware, signed by a hardware-specific attestation key. Recent side-channel attacks have successfully retrieved such keys, enabling attackers to forge the attestation data and thereby undermining users' trust in their TEE. If the attestation proof is bound to a second hardware root of trust impervious to side-channel attacks, then the remote attestation process can maintain its security guarantees.
In this paper, we introduce MATEE, a novel remote attestation mechanism for TEEs that creates a second chain of trust to a Trusted Platform Module (TPM), adding diverse redundancy into the existing attestation process. Targeting SGX enclaves for our prototype, as the most prominent TEE implementation to date, we describe how MATEE satisfies the necessary security requirements as well as present several scenarios that demonstrate its applicability and its benefits to the confidential computing landscape.