Community
cancel
Showing results for 
Search instead for 
Did you mean: 
nia_b_
Beginner
136 Views

Questions about the public key in the MRSIGNER register

Jump to solution

Hi,

Per the document '"Intel® Software Guard Extensions - Developer Guide',it mentions :

'The Enclave Author’s Public Key – After an enclave is successfully initialized, the CPU
records a hash of the enclave author’s public key in the MRSIGNER register.
'

'An enclave developer must provide the Security Version and Product ID of an enclave, as well
as a signing key pair to generate the enclave signature. 
'

If my understanding about the key-pair generation, they are provided by enclave developer.Right?

If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)? 

0 Kudos
1 Solution
136 Views

Hi Nia,

If my understanding about the key-pair generation, they are provided by enclave developer.Right?

  • Yes, it is provided by enclave developer.
  • The enclave builder presents the hardware with an RSA signed enclave certificate(SIGNSTRUCT) that contains the expected value of the Enclave identity, MRENCLAVE, and Enclave Author's public key.
  • The hardware checks the signature of the certificate, using the public key contained within,and then it compares the value of the measured MRENCLAVE against signed version.If the check pass the cpu records a hash of the enclave author's public key in the MRSIGNER register after the enclave is successfully initiated.

If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)? 

  • Please refer the "Intel Software Gaurd's Extension User's Guide for Windows" documents (Page no :32 Enclave Signing Examples)

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

2 Replies
137 Views

Hi Nia,

If my understanding about the key-pair generation, they are provided by enclave developer.Right?

  • Yes, it is provided by enclave developer.
  • The enclave builder presents the hardware with an RSA signed enclave certificate(SIGNSTRUCT) that contains the expected value of the Enclave identity, MRENCLAVE, and Enclave Author's public key.
  • The hardware checks the signature of the certificate, using the public key contained within,and then it compares the value of the measured MRENCLAVE against signed version.If the check pass the cpu records a hash of the enclave author's public key in the MRSIGNER register after the enclave is successfully initiated.

If enclave developer provides the key-pair, does SGX provide the safe way or instructions to generate the keys(both public key or private key)? 

  • Please refer the "Intel Software Gaurd's Extension User's Guide for Windows" documents (Page no :32 Enclave Signing Examples)

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

Juan_d_Intel
Employee
136 Views

As far as creating an enclave signing key you have 2 options. When you create an enclave project you can have the Wizard automatically generate a random key, which is fine for signing debug and prerelease enclave, or you can import an existing key. See Creating an Enclave, step 5 in the User's Guide. Protecting the signing key used to sign production/release enclave is up to the developer.

Reply