Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Reproduce enclave measurement from enclave binary

Fan
Beginner
‎10-18-2016 09:00 PM
602 Views

I have a question about enclave measurement. Judging by the SignTool source code for Linux (and high-level description in the manual), it seems like measurement involves loading the enclave file (ELF or PE). But the result of loading varies on different platforms, right? I wonder if I can reproduce consistent enclave measurement from enclave binary.

In particular, I'm considering the following scenarios: Suppose I want to distribute enclave.signed.so to my users and I only want to serve requests from that particular enclave. I guess I can't simply compare the local measurement on my platform with users' (can be included in their attestations). What should I do instead?

Essentially the question boils down to how to link the binary and the measurement cryptographically? There seems to be a paradox: suppose I have the enclave binary, the only way I can get its measurement is to load it. However, the loading process is not trusted (done by OS)! How can I ensure the measurement I get is indeed for that particular binary? I must have misunderstood something because this seems critical to the entire validity of SGX. Please correct me.

Thanks!

 

0 Kudos

Link Copied

2 Replies
Francisco_C_Intel
Employee
‎10-19-2016 11:46 AM
602 Views

>But the result of loading varies on different platforms, right?

No. The sign tool can be run on an older processor that does not support SGX, for example. It will produce the same measurement on various platforms, even if those do support SGX. The measurement procedure is described in https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf Sections 1.4 and 3.1.

>seems like measurement involves loading the enclave file (ELF or PE).

Yes. But you can simulate what the memory looks like after it has been loaded. This is what the signing tool does. The signing tool does need to match what the runtime does when it loads the enclave, otherwise the measurement would not match.

Once you have a measurement for the enclave, you can make that measurement part of the enclave. To avoid circular references it is stored it in a non-measured section of the enclave.

From the hardware's perspective, it will compare the measurement stored in the enclave to the one it computes itself as part of the enclave creation and initialization process.

0 Kudos
Copy link
Fan
Beginner
‎10-19-2016 08:08 PM
602 Views

Thanks for the detailed answers. That cleared my confusion.

For people who run into the same need, here is what I end up doing: If you need a tool to measure a given enclave binary, you can sign it using `sgx_sign` and dump the `.note.sgxmeta` section (for ELF only, I didn't try this on Windows but I guess it would be similar for PE). Measurement is part of that section along with other misc info (notably the signature).

Fan

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.