Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

How is enclave created remotely

M_A_2
Beginner
176 Views

Hi,

I am learning SGX and wanted to know how is an enclave is created in a remote machine. As I understood, the enclave should be created locally and should be measured to get MRENCLAVE. Then it should be created in the remote machine and when attested, it should return the same value of MRENCLAVE, right?.

Can we send code and data to the enclave in the remote machine encrypted? if yes, how please? and what will be the value of MRENCLAVE obtained from the remote machine?

Thanks

 

 

0 Kudos
4 Replies
Rodolfo_S_
New Contributor III
176 Views

Hi.

You are correct. If the exact same enclave is loaded in two different machines, their MRENCLAVE's will match.

As a result of the remote attestation process, which is well defined here, a symmetric key is derived, and this key can be used to send encrypted data to/from the enclave. The MRENCLAVE will not change after the enclave loading is completed. SGX1 does not support dynamic changes to enclave code.

M_A_2
Beginner
176 Views

 

This means that the code has to be in the remote machine in plaintext to create the enclave in the remote machine?

AArya2
New Contributor I
176 Views

Yes, the initial state of an enclave is always out in the open.

AArya2
New Contributor I
176 Views

@Rodolfo

Does SGX2 support dynamic changes to enclave code?

Reply