Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Where does enclave signature be verified with whitelist when launching?

plzfgme
Beginner
466 Views

Hi,

I have read from https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf that in release mode, an check is performed to see if the enclave signer is whitelisted.

However, when I try to build https://github.com/intel/linux-sgx/tree/master/SampleCode with `make SGX_DEBUG=0`, sign it with a random generated key from openssl and then run it, It runs without any error.

Why does the sample code still run when the key is not whitelisted?

0 Kudos
2 Replies
Scott_R_Intel
Employee
448 Views

The Launch Policy List (previously known as the Whitelist) is only enforced/used when launching Windows enclaves.  On Linux, any enclave is allowed to launch due to a newer feature called Flexible Launch Control.

0 Kudos
Aznie_Intel
Moderator
379 Views

Hi Plzfgme,


This thread will no longer be monitored since we have provided information. If you need any additional information from Intel, please submit a new question.



Regards,

Aznie


0 Kudos
Reply