Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
8 Views

Production Enclave Signing Query

Hi,

I have a question about the 2-step signing process for production enclaves.  Is the "gendata" option going to create a signing material that will have information about the CPU the enclave will be running on?  Will this CPU information be the basis of the signing platform/facility (i.e. Intel) on which private key to use when signing the signing material?

The reason for this question is that when we deploy a production software on different machines, do we need to create a signing material for each machine that we will deploy the enclave on?

Thanks a lot!

Kind Regards,
Elephant

 

 

 

0 Kudos
1 Reply
Highlighted
Employee
8 Views

"gendata" does not involve the CPU information. According to page 15 in the developer guide at https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf...., it states that "the signature and buffer sections together with the header and body sections complete the enclave signature structure" for gendata.

The "2-step signing process" is intended to generate the MRSIGNER which involves only the Signing Identity key. So you should be able to deploy a production software on different machines. In fact, you should also be able to deploy multiple applications on different machines using the same signing key.

0 Kudos