topic Signing Enclave with RSA Keys in two step process in Intel® Software Guard Extensions (Intel® SGX)

Signing Enclave with RSA Keys in two step process

bergmann__Tina — Thu, 01 Mar 2018 09:53:17 GMT

Dear All,

I want to break down the build process of the SGX and therefore I am trying to sign the Enclave myself using the two step process. Once the Enclave is compiled as an enclave.so, I perform the following steps manually to get the signed Enclave:

Generating Keypair:
-------------------
openssl genrsa -out my_private_key.pem -3 3072
openssl rsa -in my_private_key.pem -pubout -out my_public_key.pem

Siging the Enclave:
-----------------------------

2-Step Process:
----------------
sgx_sign gendata -enclave enclave.so -config Enclave/Enclave.config.xml -out enclave_hash.hex

openssl dgst -sha256 -out signature.hex -sign my_private_key.pem -keyform PEM enclave_hash.hex

sgx_sign catsig -enclave enclave.so -config Enclave/Enclave.config.xml -out enclave_signed.so -key my_public_key.pem -sig signature.hex -unsigned enclave_hash.hex

All except the last step throws up the following error:

"Error happened while signing the Enclave."

Can someone point out the problem?

Thanks

It looks like that when you

Hoang_N_Intel — Fri, 16 Mar 2018 00:03:52 GMT

It looks like that when you generate the key, you did not specify the encryption algorithm.

It should be $ openssl genrsa -aes128 -out my_private_key.pem -3 3072

instead of just $ openssl genrsa -out my_private_key.pem -3 3072

Is it possible to sign

Yan_M_1 — Mon, 14 May 2018 18:04:45 GMT

Is it possible to sign enclave with and RSA key with an exponent other than 3?

No, please do not use an

Hoang_N_Intel — Thu, 17 May 2018 16:05:18 GMT

No, please do not use an exponent value other than 3. It must be 3 as the SGX AESM uses that value along with the public key to validate and load the Enclave.