Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Signing Enclave with RSA Keys in two step process

bergmann__Tina
Beginner
962 Views

Dear All,

 

I want to break down the build process of the SGX and therefore I am trying to sign the Enclave myself using the two step process. Once the Enclave is compiled as an enclave.so, I perform the following steps manually to get the signed Enclave:

 

Generating Keypair:
-------------------
openssl genrsa -out my_private_key.pem -3 3072
openssl rsa -in my_private_key.pem -pubout -out my_public_key.pem

Siging the Enclave:
-----------------------------

2-Step Process:
----------------
sgx_sign gendata -enclave enclave.so -config Enclave/Enclave.config.xml -out enclave_hash.hex

openssl dgst -sha256  -out signature.hex  -sign my_private_key.pem -keyform PEM  enclave_hash.hex 

sgx_sign catsig -enclave enclave.so -config Enclave/Enclave.config.xml -out enclave_signed.so -key my_public_key.pem -sig signature.hex -unsigned enclave_hash.hex

All except the last step throws up the following error:

"Error happened while signing the Enclave." 

Can someone point out the problem?

Thanks

 

0 Kudos
3 Replies
Hoang_N_Intel
Employee
962 Views

It looks like that when you generate the key, you did not specify the encryption algorithm.

It should be   $ openssl genrsa -aes128 -out my_private_key.pem -3 3072

instead of just $ openssl genrsa  -out my_private_key.pem -3 3072

 

0 Kudos
Yan_M_1
Beginner
962 Views

Is it possible to sign enclave with and RSA key with an exponent other than 3?

0 Kudos
Hoang_N_Intel
Employee
962 Views

No, please do not use an exponent value other than 3. It must be 3 as the SGX AESM uses that value along with the public key to validate and load the Enclave.

0 Kudos
Reply