Community
cancel
Showing results for 
Search instead for 
Did you mean: 
sang__oh
Beginner
114 Views

What does EINIT check?

Jump to solution

https://software.intel.com/sites/default/files/article/413936/hasp-2013-innovative-instructions-and-...

 

in this paper, page 6, explain EINIT establishes following steps.

1. Verifies that SIGSTRUCT is signed using the public key enclosed in the SIGSTRUCT
2. Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT
3. Checks that the enclave’s attributes are compatible with those specified in SIGSTRUCT
4. Finalizes the measurement of the enclave and records the sealing identity and enclave identity (the sealing authority, product id and security version number) in the SECS

 

but i can't understand what 'field' is enclose in release app.

when i debug app, PROJ_NAME.signed.dll file is created, and i understand it is enclave field definition. (because without this file, error8207(200F) failed to create enclave is occurred. )

 

my question is... 

1. how it possible 'Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT' ? does released app include measurement of the enclave?

2. how many information is included in release app's enclave ? ( SIGSTRUCT, enclave contents, RSA Signature... etc)

0 Kudos
1 Solution
Scott_R_Intel
Employee
114 Views

Hello.

If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:

https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool

Regards.

Scott

View solution in original post

2 Replies
Scott_R_Intel
Employee
115 Views

Hello.

If I understand your questions correctly, the sgx_sign tool documentation will answer what is included in a signed enclave's SIGSTRUCT:

https://software.intel.com/en-us/sgx-sdk-dev-reference-the-enclave-signing-tool

Regards.

Scott

View solution in original post

sang__oh
Beginner
114 Views

thanks for your help!

with your help, now i know why enclave file is signed.dll    and is it correct that i understand?

 

1. when user run sgx app, SIGSTRUCT field will be created by measurment of x.signed.dll file (this file has it's own Enclave Contents. for example, SECS, ATTRIBUTES, BASEADDR, SIZE, SSAFRAMESIZE, other EPC Pages)

2. after build SIGSTRUCT, Enclave Content(SECS, Other EPC Pages) is created by information of SIGSTRUCT.

3. MRSIGNER ( 2's Enclave Contents -> SECS -> MRSIGNER) is checked by intel's provisioning service to Enclave's public key ( hash of public key ) is whitelisted ( verify intel's MRSIGNER = Enclave's MRSIGNER).

finally, 1,2,3 is valid, Enclave is start.

is it correct?

Reply