Hello,
We are developing a system using eHSM-KMS.
In the process, we are currently having trouble understanding how the remote attestation works.

I have added logs to the eHSM-KMS source code to investigate remote attestation,
From the eHSM-KMS source code, I could only understand that SSL communication is performed between DkeyServer and DkeyCache using OpenSSH.

We also tried starting eHSM-KMS with the PCCS server stopped,
In the SGX library function (tee_get_certificate_with_evidence),
I could only find that an error (SGX_OL_NETWORK_ERROR:0xe019) occurs in the SGX library function (tee_get_certificate_with_evidence).

What kind of communication is going on between the PCCS server, DkeyServer and DkeyCache?
What I would like to know is as follows.
When does eHSM-KMS communicate with the PCCS server?
What is passed when communicating with PCCServer and what is obtained as a result?

Regards,
H_Sakakibara

The communication btw dkeyserver and dkeycache is ra-tls, with reference to https://github.com/intel/linux-sgx/tree/master/sdk/ttls.
The communication to PCCS is tls. You can refer to: https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration/pccs
When a verifier gets the quote of the attester, it will connect PCCS to verify the identity.

The protocols of remote attestation and ra-tls are introduced by Intel SGX. eHSM just uses it.

Hello,
Thank you for your response.
We will proceed with our investigation based on the tips you have given us.

At this time, we are still investigating, so we would like to close this Issue for now.
If we have any further questions, we would like to inquire again.
Regards,
H_Sakakibara