Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1474 Discussions

Where does enclave signature be verified with whitelist when launching?

plzfgme
Beginner
‎11-28-2023 06:14 PM
600 Views

Hi,

I have read from https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf that in release mode, an check is performed to see if the enclave signer is whitelisted.

However, when I try to build https://github.com/intel/linux-sgx/tree/master/SampleCode with `make SGX_DEBUG=0`, sign it with a random generated key from openssl and then run it, It runs without any error.

Why does the sample code still run when the key is not whitelisted?

0 Kudos

Link Copied

2 Replies
Scott_R_Intel
Employee
‎11-29-2023 05:39 AM
582 Views

The Launch Policy List (previously known as the Whitelist) is only enforced/used when launching Windows enclaves.  On Linux, any enclave is allowed to launch due to a newer feature called Flexible Launch Control.

0 Kudos
Copy link
Aznie_Intel
Moderator
‎12-06-2023 07:17 PM
513 Views

Hi Plzfgme,


This thread will no longer be monitored since we have provided information. If you need any additional information from Intel, please submit a new question.



Regards,

Aznie


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.