- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i want make release version my app. the simple test version. (https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/802697)
when i print SGX_DEBUG_FLAG on release mode, the value still 1,
so i set sgx_create_enclave(ENCLAVE_FILE, 0, &token, &updated, &eid, NULL);
and Enclave1.config.xml - <DisableDebug>1</DisableDebug> but there is 'SGX_ERROR_SERVICE_INVALID_PRIVILEGE' error.
https://software.intel.com/en-us/sgx-sdk-dev-reference-local-attestation, local attestation does not require whitelist.
1. does simple app(abovelink , topic/802697 ) needs whitelist?
2. if not needs, how can i run app with release mode?
thanks for your helping :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oh.
Any enclave, simple or otherwise, needs to be whitelisted to be able to be launched in production/release mode. Without whitelisting, you can only launch in debug or pre-release mode. More info at the link below, if interested:
Regards.
Scott
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oh.
Any enclave, simple or otherwise, needs to be whitelisted to be able to be launched in production/release mode. Without whitelisting, you can only launch in debug or pre-release mode. More info at the link below, if interested:
Regards.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for your answer Scott.
i request white-list for studying but answer is no :(
anyway when i run app with debug mode, there is no public key file.
when i create file , The public key and enclave's hash value that signed by the private key should be present, but there is no pem file in the debug directory.
only this file on debug folder :
Enclave1.dll Enclave1.exp Enclave1.lib Enclave1.pdb Enclave1.signed.dll Project1.exe Project1.ilk Project1.pdb
1. does debug mode not support making public key and enclave's hash?
2. How can I know from the user's point of view that the program is running on sgx?
thanks :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oh.
I don't quite understand what you're asking in question 1, but maybe this will help...
Since you appear to be using Windows, you should use the Visual Studio "Add New Intel(r) SGX Enclave Project" wizard... this automatically generates the private .pem key for you. It will not be located in the output directory, but rather in the same folder with your enclave source and project files. The Wizard also creates build steps to automatically sign the enclave during the compile/build process. It makes things a lot easier.
But, if you prefer to do it manually, you can create your own private key using OpenSSL. It just needs to be a 3072 bit RSA key, public exponent 3. Once you've installed OpenSSL, you can use this command to create it:
openssl genrsa -out private_key.pem -3 3072
Then, to sign your enclave, you can use this command:
sgx_sign.exe sign -key "private_key.pem" -enclave "Enclave1.dll" -out "Enclave1.signed.dll" -config "Enclave1.config.xml"
Once you've done that, assuming you built your app in Debug or Prerelease mode, once sgx_create_enclave comes back successful, you're running in SGX mode. If you really wanted to verify/test, you could try to read the enclave physical memory using a utility/driver such as RWEverything (http://rweverything.com/)... this should of course fail to read the memory.
Hope this helps.
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i mean... when ISV release app, EPC is encrypted with ISV's Private key. so user needs hash and public key to verify it is not modified. but i can't find these things on out folder. what i missed?
thank you for your help sir.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again.
I'm not sure what you're referring to. The EPC is not encrypted with anything from the user. The SGX Memory Encryption Engine (MEE) that encrypts the EPC uses randomly generated keys that are created at every boot time. There is no way to access these keys. For more info on MEE, see this link: https://software.intel.com/en-us/blogs/2016/02/26/memory-encryption-an-intel-sgx-underpinning-technology
As I already mentioned, you can create the keys and hash using OpenSSL and the sgx_sign tool. Some examples can be found at the links below. But, just to clarify again, for debug/pre-release mode, you only need your private key to sign the enclave. You would only need the public key and hash if you were going to whitelist.
https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-signing-examples
https://software.intel.com/en-us/sgx-sdk-dev-reference-openssl-examples
Hope this helps.
Scott
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page