- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Per the document '"Intel® Software Guard Extensions - Developer Guide',it mentions :
'The Enclave Author’s Public Key – After an enclave is successfully initialized, the CPU
records a hash of the enclave author’s public key in the MRSIGNER register.'
'An enclave developer must provide the Security Version and Product ID of an enclave, as well
as a signing key pair to generate the enclave signature. '
If my understanding about the key-pair generation, they are provided by enclave developer.Right?
If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nia,
If my understanding about the key-pair generation, they are provided by enclave developer.Right?
- Yes, it is provided by enclave developer.
- The enclave builder presents the hardware with an RSA signed enclave certificate(SIGNSTRUCT) that contains the expected value of the Enclave identity, MRENCLAVE, and Enclave Author's public key.
- The hardware checks the signature of the certificate, using the public key contained within,and then it compares the value of the measured MRENCLAVE against signed version.If the check pass the cpu records a hash of the enclave author's public key in the MRSIGNER register after the enclave is successfully initiated.
If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)?
- Please refer the "Intel Software Gaurd's Extension User's Guide for Windows" documents (Page no :32 Enclave Signing Examples)
Thanks and Regards,
Surenthar Selvaraj
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nia,
If my understanding about the key-pair generation, they are provided by enclave developer.Right?
- Yes, it is provided by enclave developer.
- The enclave builder presents the hardware with an RSA signed enclave certificate(SIGNSTRUCT) that contains the expected value of the Enclave identity, MRENCLAVE, and Enclave Author's public key.
- The hardware checks the signature of the certificate, using the public key contained within,and then it compares the value of the measured MRENCLAVE against signed version.If the check pass the cpu records a hash of the enclave author's public key in the MRSIGNER register after the enclave is successfully initiated.
If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)?
- Please refer the "Intel Software Gaurd's Extension User's Guide for Windows" documents (Page no :32 Enclave Signing Examples)
Thanks and Regards,
Surenthar Selvaraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as creating an enclave signing key you have 2 options. When you create an enclave project you can have the Wizard automatically generate a random key, which is fine for signing debug and prerelease enclave, or you can import an existing key. See Creating an Enclave, step 5 in the User's Guide. Protecting the signing key used to sign production/release enclave is up to the developer.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page