Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

How does an enclave get its own MRENCLAVE

jamason
Beginner
‎11-17-2017 07:45 AM
798 Views
Solved Jump to solution

the intel sgx devleopper guide mentions that there are two methods the application can use to retrieve the MRENCLAVE meas-urement for the enclave, either:

1)The application B retrieves the MRENCLAVE value from the enclave certificate for enclave B.

2) Enclave B supports an interface to export this value which is retrieved by creating a report with a random MRENCLAVE target measurement.

my question is concerning the second method. if enclave B makes an EREPORT call with a random MRENCLAVE as a target measuremnent, what would be in the return value that would allow it to know its own MRENCLAVE.

this also brings me to another question, which is: if any enclave on a platform is allowed to call the EREPORT with any target MRENCLAVE value, isnt that already more data leaked that would be desired. wouldnt it be a form of prompting the platform to confirm/deny the presence of a certain enclave?

 

Thank you

0 Kudos
1 Solution
Juan_d_Intel
Employee
‎11-21-2017 10:33 AM
798 Views
Solved Jump to solution

In an enclave calls EREPORT with a random MRENCLAVE in the TARGETINFO structure, the REPORT structure will contain such MRENCLAVE. However, this REPORT will be useless.

In addition, calling EREPORT with a random MRENCLAVE doesn't mean that an enclave with such measurement is running on the platform at all.

View solution in original post

0 Kudos
Copy link

Link Copied

1 Reply
Juan_d_Intel
Employee
‎11-21-2017 10:33 AM
799 Views
Solved Jump to solution

In an enclave calls EREPORT with a random MRENCLAVE in the TARGETINFO structure, the REPORT structure will contain such MRENCLAVE. However, this REPORT will be useless.

In addition, calling EREPORT with a random MRENCLAVE doesn't mean that an enclave with such measurement is running on the platform at all.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.