Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Questions about launch_token and EINITTOKEN

Huorong_L_
New Contributor I
1,997 Views

Hi,

As I know, launch_token is used in API sgx_create_enclave(..., sgx_launch_token_t *launch_token, ...), and EINITTOKEN structure is created by LE and is used in EINIT instruction. Here are my questions:

  1. What is the relationship between launch_token and EINITTOKEN?
  2. As launch_token is an [in/out] parameter, what info will be passed out? Will EINITTOKEN be saved to launch_token after it's created or updated and passed out?
  3. From the forum topic (https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/685198) I know that there is an enclave launch white-list file, signed by Intel. Does LE only sign EINITTOKEN for the enclaves that on the white-list file? If so, how and when does LE on PC get, update and sync the white-list file? If not, what are the requirements for LE to sign EINITTOKEN for an enclave?

Thanks.

0 Kudos
1 Solution
PadmaPriya_M_Intel
1,997 Views

Hi,

1. Whenever the AESM starts (after system boots, wakes up) it will attempt to pull the WL from AWS if it has not already done so that day (once a day at most). Also if an SGX production signed enclave fails to launch due to its MRSIGNER not found on the WL, an attempt to pull down the WL will be triggered.
2. There is a version # associated with the WL and the API will only allow an WL update if its a newer version of the WL.
3. For machines without regular internet access, their software installer can update the whitelist manually. When a vendor gets whitelisted, they are sent the updated whitelist that includes their own certificate. They can provision this whitelist as part of their application installation procedure by calling sgx_register_wl_cert_chain().

 

View solution in original post

8 Replies
PadmaPriya_M_Intel
1,997 Views

Hi,

1. What is the relationship between launch_token and EINITTOKEN?                                                                                                                     launch_ token - When loading an enclave for the first time, the loader will get a launch token.                                                                     
EINITTOKEN -  The EINIT token is used by EINIT to verify that the enclave is permitted to launch. EINIT token is generated by an enclave in possession of the EINITTOKEN key (the Launch Enclave).

2. a) As launch_token is an [in/out] parameter, what info will be passed out?                                                                                                              When loading an enclave for the first time, the loader will get a launch token and save it back to the in/out parameter token . The user can save the launch token into a file, so that when loading an enclave for the second time, the application can get the launch token from the saved file. Providing a valid launch token can enhance the load performance.        

b) Will EINITTOKEN be saved to launch_token after it's created or updated and passed out?                                                                                       The Launch Enclave(LE), which is an enclave issued by Intel that gets to approve every other enclave before it is initialized by EINIT.  It approves an enclave by issuing an EINIT Token (EINITTOKEN). The EINITTOKEN structure contains the approved enclave’s measurement-based and certificate-based identities, just like a local attestation REPORT. This token is inspected by EINIT, which refuses to initialize enclaves with incorrect tokens. While an EINIT token is handled by untrusted system software, its integrity is protected by a MAC tag that is computed using a  Launch Key obtained from EGETKEY. The EINIT implementation follows the same key derivation process as EGETKEY to convince itself that the EINITTOKEN provided  to it was indeed generated by an LE that had access to the Launch Key.

-Thanks              

         

0 Kudos
Huorong_L_
New Contributor I
1,997 Views

Padma Priya M. (Intel) wrote:

Hi,

1. What is the relationship between launch_token and EINITTOKEN?                                                                                                                     launch_ token - When loading an enclave for the first time, the loader will get a launch token.                                                                     
EINITTOKEN -  The EINIT token is used by EINIT to verify that the enclave is permitted to launch. EINIT token is generated by an enclave in possession of the EINITTOKEN key (the Launch Enclave).

2. a) As launch_token is an [in/out] parameter, what info will be passed out?                                                                                                              When loading an enclave for the first time, the loader will get a launch token and save it back to the in/out parameter token . The user can save the launch token into a file, so that when loading an enclave for the second time, the application can get the launch token from the saved file. Providing a valid launch token can enhance the load performance.        

b) Will EINITTOKEN be saved to launch_token after it's created or updated and passed out?                                                                                       The Launch Enclave(LE), which is an enclave issued by Intel that gets to approve every other enclave before it is initialized by EINIT.  It approves an enclave by issuing an EINIT Token (EINITTOKEN). The EINITTOKEN structure contains the approved enclave’s measurement-based and certificate-based identities, just like a local attestation REPORT. This token is inspected by EINIT, which refuses to initialize enclaves with incorrect tokens. While an EINIT token is handled by untrusted system software, its integrity is protected by a MAC tag that is computed using a  Launch Key obtained from EGETKEY. The EINIT implementation follows the same key derivation process as EGETKEY to convince itself that the EINITTOKEN provided  to it was indeed generated by an LE that had access to the Launch Key.

-Thanks              

         

Hi Padma,

Thanks for your reply. 

How about my third question? As you have mentioned that LE approves an enclave by issuing an EINIT Token (EINITTOKEN)what are the rules for LE to sign an EINITTOKEN for an enclave?

 

0 Kudos
PadmaPriya_M_Intel
1,997 Views

Hi,

The EINITTTOKEN structure contains the identities of the approved enclave (MRENCLAVE and MRSIGNER) and the approved enclave attributes (ATTRIBUTES).  The token also includes the information used for the Launch Key derivation, which includes the LE’s Product ID (ISVPRODIDLE), SVN (ISVSVNLE), and the bitwise AND between the LE’s ATTRIBUTES and the ATTRIBUTEMASK used in the KEYREQUEST(MASKEDATTRIBUTESLE). EINITTOKEN structures are MACed using AES-CMAC with 128-bit keys.      

For better understand on how the SGX Launch Enclave computes the EINITTOKEN, please refer to the content in 5.9 (SGX Enclave Launch Control) in page no:88 in the document attached.

-Thanks.

 

0 Kudos
Huorong_L_
New Contributor I
1,997 Views

Hi Padma, I'm sorry making you misunderstand what I mean.

From the forum topic (https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/685198) I know that there is an enclave launch white-list file, signed by Intel. Does LE only sign EINITTOKEN for the enclaves that on the white-list file? If so, how and when does LE on PC get, update and sync the white-list file? If not, what are the requirements for LE to sign EINITTOKEN for an enclave?

I know Intel uses Launch Control Policy to control enclave launching. My question is what Launch Control Policy is and how Launch Control Policy makes a difference during launching an enclave? In the above forum topic, Surenthar Selvaraj. (Intel) mentioned that there is an enclave launch white-list file, signed by Intel. So I guess the policy is only the enclave on the white-list file can get signed EINITTOKEN from LE, am I right?

0 Kudos
PadmaPriya_M_Intel
1,997 Views

Hi,

  • Does LE only sign EINITTOKEN for the enclaves that on the white-list file?

Yes, LE only sign EINITTOKEN for the enclaves that on the white-list file. If the enclave build process is successful, an Intel-provided Launch Token is granted, provided that the enclave developer key is on an Intel managed white-list. This will result in the enclave being loaded into protected memory, ready for execution.

  • What Launch Control Policy is and how Launch Control Policy makes a difference during launching an enclave ?

This policy includes the step like approving the enclave that yet to be initialized ,based on Launch Enclave.

  • Is only the enclave on the white-list file can get signed EINITTOKEN from LE ?

Yes.

0 Kudos
Huorong_L_
New Contributor I
1,997 Views

Hi Padma,

Thanks for your reply.

One more question: how and when does the white-list file be provisioned, updated and synchronized?

0 Kudos
PadmaPriya_M_Intel
1,998 Views

Hi,

1. Whenever the AESM starts (after system boots, wakes up) it will attempt to pull the WL from AWS if it has not already done so that day (once a day at most). Also if an SGX production signed enclave fails to launch due to its MRSIGNER not found on the WL, an attempt to pull down the WL will be triggered.
2. There is a version # associated with the WL and the API will only allow an WL update if its a newer version of the WL.
3. For machines without regular internet access, their software installer can update the whitelist manually. When a vendor gets whitelisted, they are sent the updated whitelist that includes their own certificate. They can provision this whitelist as part of their application installation procedure by calling sgx_register_wl_cert_chain().

 

Huorong_L_
New Contributor I
1,997 Views

Hi Padma,

Thanks a lot. It does solve my problem.

-Huorong

0 Kudos
Reply