How are Provisioning and Quoting Enclaves launched

AB_ · ‎10-28-2017

I understand that Provisioning Enclave (PvE) is a special enclave. Please clarify the following questions.

How is the PvE launched?
What does it mean that it is provided by Intel? Specifically, is there a priviliged software (provided/used by Intel) that creates and launches PvE, and that is somehow not accessible to application developers? I am assuming that sgx_create_enclave() cannot be used to create this special enclave.
Is that a software run enclave or a microcode run?
I have similar questions for Quoting Enclave too. How is this launched?

you_w_ · ‎10-29-2017

Hi AB.

To find out answer of these questions, I advise that you can read the source code of PSW. All the achitecture build-in enclaves are inside the PSW package.

Regars

you

Rafal_W_ · ‎11-08-2017

Architectural enclaves are loaded by the aesm service "when needed". That means PvE is loaded during the EPID join process, QE is loaded the first time you request a quote etc.

Architectural enclaves are signed by a special Intel key that is privileged (CPU/microcode checks the signature and only allows enclaves signed with this key to be privileged). Documentation mentions possibility for custom Launch Enclaves (not signed by Intel), but this currently is not possible as far as I know.