Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Production Enclave Signing Query

Elephant
Beginner
477 Views

Hi,

I have a question about the 2-step signing process for production enclaves.  Is the "gendata" option going to create a signing material that will have information about the CPU the enclave will be running on?  Will this CPU information be the basis of the signing platform/facility (i.e. Intel) on which private key to use when signing the signing material?

The reason for this question is that when we deploy a production software on different machines, do we need to create a signing material for each machine that we will deploy the enclave on?

Thanks a lot!

Kind Regards,
Elephant

 

 

 

0 Kudos
1 Reply
Hoang_N_Intel
Employee
477 Views

"gendata" does not involve the CPU information. According to page 15 in the developer guide at https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf, it states that "the signature and buffer sections together with the header and body sections complete the enclave signature structure" for gendata.

The "2-step signing process" is intended to generate the MRSIGNER which involves only the Signing Identity key. So you should be able to deploy a production software on different machines. In fact, you should also be able to deploy multiple applications on different machines using the same signing key.

0 Kudos
Reply