Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

SGX Sign Tool

dankoetfman
Novice
659 Views

Hello everyone,

 

In order to use Intel SGX in production do you have to sign an enclave with an Intel issued key? If that is the case, where can I get the key.

 

I have read that you can build your own LE with your own (ref_le), but I am interested in using the Intel provided one. 

 

Best regards,
Danko

Labels (2)
0 Kudos
1 Solution
Sahira_Intel
Moderator
632 Views

Hi Danko,


Intel whitelists your enclave signing key, and to do that you must sign a commercial use license request. See more information here: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sgx-product-licensing.htm...

 

The Intel SGX SDK for Windows and Linux both include a signing tool. It is usually ran by the makefile as part of the post build flows during development. But, sgx_sign can be ran manually to generate whitelisting materials if you need to have the enclave signer whitelisted.

There are two signing methods: one-step signing and two-step signing:

One step method is used during application development/debugging. The enclave is in Debug or Pre-Release mode. Enclaves are then signed post build using a private test key. In Windows, you can choose the private test key provided by Visual Studio, and for Linux you can use the private key that comes with the sample enclaves. You can also use your own. (see Intel SGX SDK Dev Reference Guide)

The two-step method (which is likely what you are looking for since you want to use the enclave in production) is used to securely sign an enclave built in Release mode. This singing makes use of a private test key stored in a secure key facility or platform.

 

See more information about signing methods and whitelisting here: https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-int...

 

Sincerely,

Sahira


View solution in original post

2 Replies
Sahira_Intel
Moderator
633 Views

Hi Danko,


Intel whitelists your enclave signing key, and to do that you must sign a commercial use license request. See more information here: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sgx-product-licensing.htm...

 

The Intel SGX SDK for Windows and Linux both include a signing tool. It is usually ran by the makefile as part of the post build flows during development. But, sgx_sign can be ran manually to generate whitelisting materials if you need to have the enclave signer whitelisted.

There are two signing methods: one-step signing and two-step signing:

One step method is used during application development/debugging. The enclave is in Debug or Pre-Release mode. Enclaves are then signed post build using a private test key. In Windows, you can choose the private test key provided by Visual Studio, and for Linux you can use the private key that comes with the sample enclaves. You can also use your own. (see Intel SGX SDK Dev Reference Guide)

The two-step method (which is likely what you are looking for since you want to use the enclave in production) is used to securely sign an enclave built in Release mode. This singing makes use of a private test key stored in a secure key facility or platform.

 

See more information about signing methods and whitelisting here: https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-int...

 

Sincerely,

Sahira


dankoetfman
Novice
605 Views

Thank you Sahira. This is what I was looking for.

 

All the best,
Danko

Reply