topic Re:Enclave Signing Key in Intel® Software Guard Extensions (Intel® SGX)

Enclave Signing Key

Toshi_O — Thu, 22 Jun 2023 16:25:57 GMT

According to the developers reference,

https://download.01.org/intel-sgx/sgx-linux/2.19/docs/Intel_SGX_Developer_Reference_Linux_2.19_Open_Source.pdf

P.23

the private key scheme for Enclave signing seems to be RSA 3072bit publicExponent=3. Are these algorithms and parameters specified in the SGX protocol?

For example, is it possible to specify a key algorithm other than RSA, bit, and publicExpornent value?

Re:Enclave Signing Key

Wan_Intel — Tue, 27 Jun 2023 03:36:01 GMT

Hi Toshi_O,

Thanks for reaching out to us.

For your information, the example in Developer Reference Page 23 is based on OpenSSL. Referring to OpenSSL genrsa, the public exponent to use is either 65537 or 3. The default is 65537. We encourage you to try out specific use cases with your public or private exponent available.

On another note, if you would like to use another type of key algorithm, you can try the 265 bit ECC key which is equivalent to a 3072-bit RSA key, however the examples given in the Developer Reference only works in RSA key. Let us know if 265 bit ECC key is working for you

Regards,

Wan

Re: Enclave Signing Key

Toshi_O — Wed, 28 Jun 2023 03:49:12 GMT

Thanks for the reply.

I understand that 65537 can be specified for publicExponent in RSA and that ECC with a key size of 265bit (256bit?) can be used.

What curve parameters (e.g., prime256v1) can be specified for ECC?

We are requesting an IntelSGX production license and are required to submit an MRSIGNER. We are using an HSM to manage the Enclave signing keys that are required for MRSIGNER derivation.Is there a list of key algorithms, key sizes, and parameters that are supported when generating Enclave signing keys? It would be very helpful to have such a list when we are selecting HSM.

thanks

Re:Enclave Signing Key

Wan_Intel — Thu, 29 Jun 2023 09:38:30 GMT

Hi Toshi_O,

Thanks for your information.

Let me check with the relevant team and I'll update here as soon as possible.

Regards,

Wan

Re: Enclave Signing Key

Wan_Intel — Fri, 30 Jun 2023 07:14:15 GMT

Hello Toshi_O,

Thanks for your patience. We've discussed with the development team.

According to the reference as shown below, there is only one allowed enclave signing key format: RSA 3072-bit key with a public exponent of 3.

On another note, regarding the license, we have forwarded your request to the Intel SGX team and they will contact you shortly via email.

Regards,

Wan

Re: Enclave Signing Key

Toshi_O — Mon, 03 Jul 2023 01:39:20 GMT

Thanks.

I understand about the schema of keys available for signatures.

I appreciate your support.

Re:Enclave Signing Key

Wan_Intel — Mon, 03 Jul 2023 22:29:25 GMT

Hello Toshi_O,

Just wanted to follow up to ensure you have been contacted by our SGX team via email.

Regards,

Wan

Re:Enclave Signing Key

Wan_Intel — Thu, 06 Jul 2023 00:31:02 GMT

Hello Toshi_O,

Thanks for your question.

If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.

Regards,

Wan