Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Production Enclave Signing Query

Elephant
Beginner
‎10-25-2017 07:21 PM
408 Views

Hi,

I have a question about the 2-step signing process for production enclaves.  Is the "gendata" option going to create a signing material that will have information about the CPU the enclave will be running on?  Will this CPU information be the basis of the signing platform/facility (i.e. Intel) on which private key to use when signing the signing material?

The reason for this question is that when we deploy a production software on different machines, do we need to create a signing material for each machine that we will deploy the enclave on?

Thanks a lot!

Kind Regards,
Elephant

 

 

 

0 Kudos

Link Copied

1 Reply
Hoang_N_Intel
Employee
‎10-25-2017 10:55 PM
408 Views

"gendata" does not involve the CPU information. According to page 15 in the developer guide at https://01.org/sites/default/files/documentation/intel_sgx_sdk_developer_reference_for_linux_os_pdf.pdf, it states that "the signature and buffer sections together with the header and body sections complete the enclave signature structure" for gendata.

The "2-step signing process" is intended to generate the MRSIGNER which involves only the Signing Identity key. So you should be able to deploy a production software on different machines. In fact, you should also be able to deploy multiple applications on different machines using the same signing key.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.