topic thanks for your answer Scott. in Intel® Software Guard Extensions (Intel® SGX)

local attestation not working

sang__oh — Mon, 28 Jan 2019 12:07:02 GMT

i want make release version my app. the simple test version. (https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/802697)

when i print SGX_DEBUG_FLAG on release mode, the value still 1,

so i set sgx_create_enclave(ENCLAVE_FILE, 0, &token, &updated, &eid, NULL);

and Enclave1.config.xml - <DisableDebug>1</DisableDebug> but there is 'SGX_ERROR_SERVICE_INVALID_PRIVILEGE' error.

https://software.intel.com/en-us/sgx-sdk-dev-reference-local-attestation, local attestation does not require whitelist.

1. does simple app(abovelink , topic/802697 ) needs whitelist?

2. if not needs, how can i run app with release mode?

thanks for your helping :)

Hi Oh.

Scott_R_Intel — Mon, 28 Jan 2019 12:13:55 GMT

Hi Oh.

Any enclave, simple or otherwise, needs to be whitelisted to be able to be launched in production/release mode. Without whitelisting, you can only launch in debug or pre-release mode. More info at the link below, if interested:

https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference

Regards.

Scott

thanks for your answer Scott.

sang__oh — Tue, 29 Jan 2019 04:12:00 GMT

thanks for your answer Scott.

i request white-list for studying but answer is no :(

anyway when i run app with debug mode, there is no public key file.

when i create file , The public key and enclave's hash value that signed by the private key should be present, but there is no pem file in the debug directory.

only this file on debug folder :

Enclave1.dll Enclave1.exp Enclave1.lib Enclave1.pdb Enclave1.signed.dll Project1.exe Project1.ilk Project1.pdb

1. does debug mode not support making public key and enclave's hash?

2. How can I know from the user's point of view that the program is running on sgx?

thanks :)

Hi Oh.

Scott_R_Intel — Tue, 29 Jan 2019 15:43:47 GMT

Hi Oh.

I don't quite understand what you're asking in question 1, but maybe this will help...

Since you appear to be using Windows, you should use the Visual Studio "Add New Intel(r) SGX Enclave Project" wizard... this automatically generates the private .pem key for you. It will not be located in the output directory, but rather in the same folder with your enclave source and project files. The Wizard also creates build steps to automatically sign the enclave during the compile/build process. It makes things a lot easier.

But, if you prefer to do it manually, you can create your own private key using OpenSSL. It just needs to be a 3072 bit RSA key, public exponent 3. Once you've installed OpenSSL, you can use this command to create it:

     openssl genrsa -out private_key.pem -3 3072

Then, to sign your enclave, you can use this command:

    sgx_sign.exe sign -key "private_key.pem" -enclave "Enclave1.dll" -out "Enclave1.signed.dll" -config "Enclave1.config.xml"

Once you've done that, assuming you built your app in Debug or Prerelease mode, once sgx_create_enclave comes back successful, you're running in SGX mode. If you really wanted to verify/test, you could try to read the enclave physical memory using a utility/driver such as RWEverything (http://rweverything.com/)... this should of course fail to read the memory.

Hope this helps.

Scott

i mean... when ISV release

sang__oh — Tue, 29 Jan 2019 23:52:00 GMT

i mean... when ISV release app, EPC is encrypted with ISV's Private key. so user needs hash and public key to verify it is not modified. but i can't find these things on out folder. what i missed?

thank you for your help sir.

Hi again.

Scott_R_Intel — Wed, 30 Jan 2019 15:31:10 GMT

Hi again.

I'm not sure what you're referring to. The EPC is not encrypted with anything from the user. The SGX Memory Encryption Engine (MEE) that encrypts the EPC uses randomly generated keys that are created at every boot time. There is no way to access these keys. For more info on MEE, see this link: https://software.intel.com/en-us/blogs/2016/02/26/memory-encryption-an-intel-sgx-underpinning-technology

As I already mentioned, you can create the keys and hash using OpenSSL and the sgx_sign tool. Some examples can be found at the links below. But, just to clarify again, for debug/pre-release mode, you only need your private key to sign the enclave. You would only need the public key and hash if you were going to whitelist.

https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-signing-examples

https://software.intel.com/en-us/sgx-sdk-dev-reference-openssl-examples

Hope this helps.

Scott