https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119033#M1493 <P>I have a question about enclave measurement. Judging by the SignTool source code for Linux (and high-level description in the manual), it seems like measurement involves loading the enclave file (ELF or PE). But the result of loading varies on different platforms, right? I wonder if I can reproduce consistent enclave measurement from enclave binary.</P> <P>In particular, I'm considering the following scenarios:&nbsp;<SPAN style="font-size: 1em;">Suppose I want to distribute&nbsp;enclave.signed.so to my users and I only want to serve requests from that particular enclave. I guess I can't simply compare the </SPAN><SPAN style="font-size: 13.008px;">local&nbsp;</SPAN><SPAN style="font-size: 1em;">measurement on my platform with users' (can be included in their attestations). What should I do instead?</SPAN></P> <P><SPAN style="font-size: 1em;">Essentially the question boils down to how to link the binary and the measurement cryptographically? There seems to be a paradox: suppose I have the enclave binary, the only way I can get its measurement is to load it. </SPAN><SPAN style="font-size: 1em;">However,</SPAN><SPAN style="font-size: 1em;"> the loading process is not trusted (done by OS)! How can I ensure the measurement I get is indeed for that particular binary? I must have misunderstood something because this seems critical to the entire validity of SGX. Please correct me.</SPAN></P> <P>Thanks!</P> <P>&nbsp;</P> Wed, 19 Oct 2016 04:00:40 GMT Fan 2016-10-19T04:00:40Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119033#M1493 <P>I have a question about enclave measurement. Judging by the SignTool source code for Linux (and high-level description in the manual), it seems like measurement involves loading the enclave file (ELF or PE). But the result of loading varies on different platforms, right? I wonder if I can reproduce consistent enclave measurement from enclave binary.</P> <P>In particular, I'm considering the following scenarios:&nbsp;<SPAN style="font-size: 1em;">Suppose I want to distribute&nbsp;enclave.signed.so to my users and I only want to serve requests from that particular enclave. I guess I can't simply compare the </SPAN><SPAN style="font-size: 13.008px;">local&nbsp;</SPAN><SPAN style="font-size: 1em;">measurement on my platform with users' (can be included in their attestations). What should I do instead?</SPAN></P> <P><SPAN style="font-size: 1em;">Essentially the question boils down to how to link the binary and the measurement cryptographically? There seems to be a paradox: suppose I have the enclave binary, the only way I can get its measurement is to load it. </SPAN><SPAN style="font-size: 1em;">However,</SPAN><SPAN style="font-size: 1em;"> the loading process is not trusted (done by OS)! How can I ensure the measurement I get is indeed for that particular binary? I must have misunderstood something because this seems critical to the entire validity of SGX. Please correct me.</SPAN></P> <P>Thanks!</P> <P>&nbsp;</P> Wed, 19 Oct 2016 04:00:40 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119033#M1493 Fan 2016-10-19T04:00:40Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119034#M1494 <P>&gt;But the result of loading varies on different platforms, right?</P> <P>No. The sign tool can be run on&nbsp;an older processor that does not support SGX, for example. It will produce the same measurement on various platforms, even if those do support SGX. The measurement procedure is described in <A href="https://community.intel.com/legacyfs/online/drupal_files/managed/48/88/329298-002.pdf">https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf</A>&nbsp;Sections 1.4 and 3.1.</P> <P>&gt;seems like measurement involves loading the enclave file (ELF or PE).</P> <P>Yes. But you can simulate what the memory looks like after it has been loaded. This is what the signing tool does. The signing tool does need to match what the runtime does when it loads the enclave, otherwise the measurement would not match.</P> <P>Once&nbsp;you have a measurement for the enclave, you can make that measurement part of the enclave. To avoid circular references it is stored it in a non-measured section of the enclave.</P> <P>From the hardware's perspective, it will compare the measurement stored in the enclave to the one it computes itself as part of the enclave creation and initialization process.</P> Wed, 19 Oct 2016 18:46:39 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119034#M1494 Francisco_C_Intel 2016-10-19T18:46:39Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119035#M1495 <P><SPAN style="font-size: 1em;">Thanks for the detailed answers. That cleared my confusion.</SPAN></P> <P><SPAN style="font-size: 1em;">For people who run into the same need, here is what I end up doing:&nbsp;</SPAN><SPAN style="font-size: 1em;">If you need a tool to measure a given enclave binary, you can sign it using `sgx_sign` and dump the `.note.sgxmeta` section (for ELF only, I didn't try this on Windows but I guess it would be similar for PE). Measurement is part of that section along with other misc info (notably the signature).</SPAN></P> <P>Fan</P> Thu, 20 Oct 2016 03:08:30 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Reproduce-enclave-measurement-from-enclave-binary/m-p/1119035#M1495 Fan 2016-10-20T03:08:30Z