Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question about MRENCLAVE and MRSIGNER Register used in attestation

Sam5
New Contributor I
3,049 Views

Hi,

Could you please explain the MRENCLAVE and MRSIGNER Register used in attestation.

-Thanks

0 Kudos
1 Solution
Surenthar_S_Intel
3,049 Views

Hi Sam,

MRENCLAVE and MRSIGNER register values are updated/added during enclave instantiation. During enclave launch time, enclave author identity is verified using the RSA public key provided by author in MRSIGN struct. MRSIGN structure contains the MRENCLAVE, Product ID, SVN (Security Version Number), RSA Public key  and the signature done using the RSA private key. 

After the enclave author identity is verified, the MRENCLAVE value in SIGNSTRUCT is copied to the MRENCLAVE register.Then the measurement value, based on code/initial data, order in which the datas are placed and security properties of the enclave pages is calculated. This calculated measurement MRENCLAVE value is compared to the MRENCLAVE value contained in the MRSIGN structure. If it matches then hash of the public key of enclave author identity(MRSIGNER) is stored in  MRSIGNER register. 

These MRENCLAVE and MRSIGNER register values will be used for sealing data, local and remote attestation. During remote attestation process, registers provides the MRENCLAVE and MRSIGNER values to generate REPORT and QUOTE.

Please refer the "Intel-SGX-SDK-Users-Guide-for-windows-OS" regarding these register values significance  for remote attestation.

Thanks and Reagrds,
Surenthar Selvaraj

View solution in original post

0 Kudos
2 Replies
Surenthar_S_Intel
3,050 Views

Hi Sam,

MRENCLAVE and MRSIGNER register values are updated/added during enclave instantiation. During enclave launch time, enclave author identity is verified using the RSA public key provided by author in MRSIGN struct. MRSIGN structure contains the MRENCLAVE, Product ID, SVN (Security Version Number), RSA Public key  and the signature done using the RSA private key. 

After the enclave author identity is verified, the MRENCLAVE value in SIGNSTRUCT is copied to the MRENCLAVE register.Then the measurement value, based on code/initial data, order in which the datas are placed and security properties of the enclave pages is calculated. This calculated measurement MRENCLAVE value is compared to the MRENCLAVE value contained in the MRSIGN structure. If it matches then hash of the public key of enclave author identity(MRSIGNER) is stored in  MRSIGNER register. 

These MRENCLAVE and MRSIGNER register values will be used for sealing data, local and remote attestation. During remote attestation process, registers provides the MRENCLAVE and MRSIGNER values to generate REPORT and QUOTE.

Please refer the "Intel-SGX-SDK-Users-Guide-for-windows-OS" regarding these register values significance  for remote attestation.

Thanks and Reagrds,
Surenthar Selvaraj

0 Kudos
Sam5
New Contributor I
3,049 Views

Thanks for your Information.

0 Kudos
Reply