https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151701#M2595 <P>Hello.</P><P>If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:</P><P><A href="https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool">https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool</A></P><P>Regards.</P><P>Scott</P> Tue, 12 Feb 2019 13:52:06 GMT Scott_R_Intel 2019-02-12T13:52:06Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151700#M2594 <P><A href="https://software.intel.com/sites/default/files/article/413936/hasp-2013-innovative-instructions-and-software-model-for-isolated-execution.pdf" target="_blank">https://software.intel.com/sites/default/files/article/413936/hasp-2013-innovative-instructions-and-software-model-for-isolated-execution.pdf</A></P><P>&nbsp;</P><P>in this paper, page 6, explain EINIT establishes following steps.</P><P>1. Verifies that SIGSTRUCT is signed using the public key enclosed in the SIGSTRUCT<BR />2. Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT<BR />3. Checks that the enclave’s attributes are compatible with those specified in SIGSTRUCT<BR />4. Finalizes the measurement of the enclave and records the sealing identity and enclave identity (the sealing authority, product id and security version number) in the SECS</P><P>&nbsp;</P><P>but i can't understand what 'field' is enclose in release app.</P><P>when i debug app, PROJ_NAME.signed.dll file is created, and i understand it is enclave field definition. (because without this file, error8207(200F) failed to create enclave is occurred. )</P><P>&nbsp;</P><P>my question is...&nbsp;</P><P>1. how it possible 'Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT' ? does released app include measurement of the enclave?</P><P>2. how many information&nbsp;is included in release app's enclave ?&nbsp;( SIGSTRUCT, enclave contents, RSA Signature... etc)</P> Tue, 12 Feb 2019 11:39:22 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151700#M2594 sang__oh 2019-02-12T11:39:22Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151701#M2595 <P>Hello.</P><P>If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:</P><P><A href="https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool">https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool</A></P><P>Regards.</P><P>Scott</P> Tue, 12 Feb 2019 13:52:06 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151701#M2595 Scott_R_Intel 2019-02-12T13:52:06Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151702#M2596 <P>thanks for your help!</P><P>with your help, now i know why enclave file is signed.dll&nbsp; &nbsp; and is it correct that i understand?</P><P>&nbsp;</P><P>1. when user run sgx app, SIGSTRUCT field will be created by measurment of x.signed.dll file (this file has&nbsp;it's own Enclave Contents.&nbsp;for example, SECS, ATTRIBUTES, BASEADDR, SIZE, SSAFRAMESIZE, other EPC Pages)</P><P>2. after build SIGSTRUCT, Enclave Content(SECS, Other EPC Pages) is created by information of SIGSTRUCT.</P><P>3. MRSIGNER ( 2's Enclave Contents -&gt;&nbsp;SECS -&gt; MRSIGNER) is checked by intel's provisioning service to Enclave's public key ( hash of public key&nbsp;) is whitelisted ( verify intel's MRSIGNER = Enclave's MRSIGNER).</P><P>finally, 1,2,3 is valid, Enclave is start.</P><P>is it correct?</P> Thu, 14 Feb 2019 03:47:00 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/What-does-EINIT-check/m-p/1151702#M2596 sang__oh 2019-02-14T03:47:00Z