Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

A question about .sign.so file

dai_c_
Beginner
298 Views

Hello:

      After I use SGX SDK to generate a .sign.so file ,if I know the edl file and the enclave name(app wants to use), It seems like I can generate a mailcious .sign.so file to replace old .sign.so file. I test this in the example of SampleEnclave and change the enclave code to generate the mailcious .sign.so file; After replacing, It output as changed code. So In SGX,how to bind each app to a specific Enclave?  Thank you bery much!

0 Kudos
1 Solution
Scott_R_Intel
Employee
298 Views

Hello.

To be able to load an enclave in production mode, it has to be on the Intel whitelist.  And to be whitelisted, there is a formal process including signing a Commercial License Agreement.  In your example, I assume you simply replaced one debug mode enclave with another, in which case, the whitelist isn't used.

Please see the "Overview of Signing and Whitelisting Intel SGX Enclaves" document at the link below for more details on this:

https://software.intel.com/en-us/sgx/resource-library

Regards.

Scott

View solution in original post

2 Replies
Scott_R_Intel
Employee
299 Views

Hello.

To be able to load an enclave in production mode, it has to be on the Intel whitelist.  And to be whitelisted, there is a formal process including signing a Commercial License Agreement.  In your example, I assume you simply replaced one debug mode enclave with another, in which case, the whitelist isn't used.

Please see the "Overview of Signing and Whitelisting Intel SGX Enclaves" document at the link below for more details on this:

https://software.intel.com/en-us/sgx/resource-library

Regards.

Scott

dai_c_
Beginner
298 Views

Thank you very much!

Reply