Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

What does EINIT check?

sang__oh
Beginner
‎02-12-2019 03:39 AM
941 Views
Solved Jump to solution

https://software.intel.com/sites/default/files/article/413936/hasp-2013-innovative-instructions-and-software-model-for-isolated-execution.pdf

 

in this paper, page 6, explain EINIT establishes following steps.

1. Verifies that SIGSTRUCT is signed using the public key enclosed in the SIGSTRUCT
2. Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT
3. Checks that the enclave’s attributes are compatible with those specified in SIGSTRUCT
4. Finalizes the measurement of the enclave and records the sealing identity and enclave identity (the sealing authority, product id and security version number) in the SECS

 

but i can't understand what 'field' is enclose in release app.

when i debug app, PROJ_NAME.signed.dll file is created, and i understand it is enclave field definition. (because without this file, error8207(200F) failed to create enclave is occurred. )

 

my question is... 

1. how it possible 'Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT' ? does released app include measurement of the enclave?

2. how many information is included in release app's enclave ? ( SIGSTRUCT, enclave contents, RSA Signature... etc)

0 Kudos
1 Solution
Scott_R_Intel
Employee
‎02-12-2019 05:52 AM
941 Views
Solved Jump to solution

Hello.

If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:

https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool

Regards.

Scott

View solution in original post

0 Kudos
Copy link

Link Copied

2 Replies
Scott_R_Intel
Employee
‎02-12-2019 05:52 AM
942 Views
Solved Jump to solution

Hello.

If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:

https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool

Regards.

Scott

0 Kudos
Copy link
sang__oh
Beginner
‎02-13-2019 07:47 PM
941 Views
Solved Jump to solution

thanks for your help!

with your help, now i know why enclave file is signed.dll    and is it correct that i understand?

 

1. when user run sgx app, SIGSTRUCT field will be created by measurment of x.signed.dll file (this file has it's own Enclave Contents. for example, SECS, ATTRIBUTES, BASEADDR, SIZE, SSAFRAMESIZE, other EPC Pages)

2. after build SIGSTRUCT, Enclave Content(SECS, Other EPC Pages) is created by information of SIGSTRUCT.

3. MRSIGNER ( 2's Enclave Contents -> SECS -> MRSIGNER) is checked by intel's provisioning service to Enclave's public key ( hash of public key ) is whitelisted ( verify intel's MRSIGNER = Enclave's MRSIGNER).

finally, 1,2,3 is valid, Enclave is start.

is it correct?

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.