Hi guys. I have two questions re benefits of using SGX, in addition to attestation re the authorship of the binary and confidentiality during code execution and transit. My questions are:
1) Is there a formal mechanism of signing data out of the enclave? (e.g. response of a ECALL where relying party can verify the signature of the response against a previously communicated public key). From my readings so far, I've only read about public key usage for remote attestation / verification re enclave integrity and passing-in data to enclave securely for confidentiality. What about for the use case of data non-repudiation + integrity out from enclave? I suppose putting a verification public key in the 64 byte buffer in the argument to the enclave attestation quote/report is one option, where relying party can use this public key to verify data signatures. Is this the best way?
2) Suppose I want relying party to verify not only the authorship of enclave (SIGSTRUCT), but also have guarantees re the code that is run in the enclave. Use case being, the relying party has access to C/C++ open source code from Github and wants to know that this is the code that is run inside a SGX instance. Completely understand that the compiled binary (and related hash) depends on compiler flags, CPU version (?) etc. - so my assumption is "no this can't be done". But just wanted to make sure since this would be an awesome property if Intel has a service where source code itself can be submitted given specific compile options, and the hash of the binary that is run in SGX can be ascertained - so that there is assurance re not only the authorship but also the code that is run.