I have a question about enclave measurement. Judging by the SignTool source code for Linux (and high-level description in the manual), it seems like measurement involves loading the enclave file (ELF or PE). But the result of loading varies on different platforms, right? I wonder if I can reproduce consistent enclave measurement from enclave binary.
In particular, I'm considering the following scenarios: Suppose I want to distribute enclave.signed.so to my users and I only want to serve requests from that particular enclave. I guess I can't simply compare the local measurement on my platform with users' (can be included in their attestations). What should I do instead?
Essentially the question boils down to how to link the binary and the measurement cryptographically? There seems to be a paradox: suppose I have the enclave binary, the only way I can get its measurement is to load it. However, the loading process is not trusted (done by OS)! How can I ensure the measurement I get is indeed for that particular binary? I must have misunderstood something because this seems critical to the entire validity of SGX. Please correct me.
>But the result of loading varies on different platforms, right?
No. The sign tool can be run on an older processor that does not support SGX, for example. It will produce the same measurement on various platforms, even if those do support SGX. The measurement procedure is described in https://software.intel.com/sites/default/files/managed/48/88/329298-002.pdf Sections 1.4 and 3.1.
>seems like measurement involves loading the enclave file (ELF or PE).
Yes. But you can simulate what the memory looks like after it has been loaded. This is what the signing tool does. The signing tool does need to match what the runtime does when it loads the enclave, otherwise the measurement would not match.
Once you have a measurement for the enclave, you can make that measurement part of the enclave. To avoid circular references it is stored it in a non-measured section of the enclave.
From the hardware's perspective, it will compare the measurement stored in the enclave to the one it computes itself as part of the enclave creation and initialization process.
Thanks for the detailed answers. That cleared my confusion.
For people who run into the same need, here is what I end up doing: If you need a tool to measure a given enclave binary, you can sign it using `sgx_sign` and dump the `.note.sgxmeta` section (for ELF only, I didn't try this on Windows but I guess it would be similar for PE). Measurement is part of that section along with other misc info (notably the signature).