- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
In order to use Intel SGX in production do you have to sign an enclave with an Intel issued key? If that is the case, where can I get the key.
I have read that you can build your own LE with your own (ref_le), but I am interested in using the Intel provided one.
Best regards,
Danko
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Danko,
Intel whitelists your enclave signing key, and to do that you must sign a commercial use license request. See more information here: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sgx-product-licensing.html
The Intel SGX SDK for Windows and Linux both include a signing tool. It is usually ran by the makefile as part of the post build flows during development. But, sgx_sign can be ran manually to generate whitelisting materials if you need to have the enclave signer whitelisted.
There are two signing methods: one-step signing and two-step signing:
One step method is used during application development/debugging. The enclave is in Debug or Pre-Release mode. Enclaves are then signed post build using a private test key. In Windows, you can choose the private test key provided by Visual Studio, and for Linux you can use the private key that comes with the sample enclaves. You can also use your own. (see Intel SGX SDK Dev Reference Guide)
The two-step method (which is likely what you are looking for since you want to use the enclave in production) is used to securely sign an enclave built in Release mode. This singing makes use of a private test key stored in a secure key facility or platform.
See more information about signing methods and whitelisting here: https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf
Sincerely,
Sahira
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Danko,
Intel whitelists your enclave signing key, and to do that you must sign a commercial use license request. See more information here: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sgx-product-licensing.html
The Intel SGX SDK for Windows and Linux both include a signing tool. It is usually ran by the makefile as part of the post build flows during development. But, sgx_sign can be ran manually to generate whitelisting materials if you need to have the enclave signer whitelisted.
There are two signing methods: one-step signing and two-step signing:
One step method is used during application development/debugging. The enclave is in Debug or Pre-Release mode. Enclaves are then signed post build using a private test key. In Windows, you can choose the private test key provided by Visual Studio, and for Linux you can use the private key that comes with the sample enclaves. You can also use your own. (see Intel SGX SDK Dev Reference Guide)
The two-step method (which is likely what you are looking for since you want to use the enclave in production) is used to securely sign an enclave built in Release mode. This singing makes use of a private test key stored in a secure key facility or platform.
See more information about signing methods and whitelisting here: https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf
Sincerely,
Sahira
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Sahira. This is what I was looking for.
All the best,
Danko
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page