"gendata" does not involve

Elephant · ‎10-25-2017

Hi,

I have a question about the 2-step signing process for production enclaves. Is the "gendata" option going to create a signing material that will have information about the CPU the enclave will be running on? Will this CPU information be the basis of the signing platform/facility (i.e. Intel) on which private key to use when signing the signing material?

The reason for this question is that when we deploy a production software on different machines, do we need to create a signing material for each machine that we will deploy the enclave on?

Thanks a lot!

Kind Regards,
Elephant

Hoang_N_Intel · ‎10-25-2017

"gendata" does not involve the CPU information. According to page 15 in the developer guide at https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf, it states that "the signature and buffer sections together with the header and body sections complete the enclave signature structure" for gendata.

The "2-step signing process" is intended to generate the MRSIGNER which involves only the Signing Identity key. So you should be able to deploy a production software on different machines. In fact, you should also be able to deploy multiple applications on different machines using the same signing key.

Production Enclave Signing Query