• 04/09/2016
  • Public Content

Enclave Signature

There are three main activities involved in establishing trust in software.
  • Measurement: As an enclave is instantiated in a trusted environment, an accurate and protected recording of its identity is taken.
  • Attestation: Demonstrating to other entities that a particular environment was instantiated in the correct manner.
  • Sealing: Enabling data belonging to the trusted environment to be bound to it such that it can be restored only when the trusted environment is restored.
This section focuses on the first activity, measurement. The second (attestation) and third (sealing) activities are described in subsequent sections.
Enclaves include a self-signed certificate from the enclave author, also known as the Enclave Signature (SIGSTRUCT). The enclave signature contains information that allows the Intel SGX architecture to detect whether any portion of the enclave file has been tampered with. This allows an enclave to prove that it has been loaded in EPC correctly and it can be trusted. However, the hardware only verifies the enclave measurement when an enclave is loaded. This means that anyone can modify an enclave and sign it with his/her own key. To prevent this type of attack, the enclave signature also identifies the enclave author. The enclave signature contains several important fields that are essential for an enclave ability to attest to outside entities:
  • Enclave Measurement – A single 256-bit hash that identifies the code and initial data to be placed inside the enclave, the expected order and position in which they are to be placed, and the security properties of those pages. A change in any of these variables will result in a different measurement. When the enclave code/data pages are placed inside the EPC, the CPU calculates the enclave measurement and stores this value in the MRENCLAVE register. Then the CPU compares the content of MRENCLAVE against the enclave measurement value in SIGSTRUCT. Only if they match with each other, the CPU will allow the enclave to be initialized.
  • The Enclave Author’s Public Key – After an enclave is successfully initialized, the CPU records a hash of the enclave author’s public key in the MRSIGNER register. The contents of MRSIGNER will serve as the identity of the enclave author. The result is that those enclaves which have been authenticated with the same key shall have the same value placed in the MRSIGNER register.
  • The Security Version Number of the Enclave (ISVSVN) – The enclave author assigns a Security Version Number (SVN) to each version of an enclave. The SVN reflects the level of the security property of the enclave, and should monotonically increase with improvements of the security property. After an enclave is successfully initialized, the CPU records the SVN, which can be used during attestation. Different versions of an enclave with the same security property should be assigned with the same SVN. For example, a new version of an enclave with non-security-related bug fixes should have the same SVN as the older version.
  • The Product ID of the Enclave (ISVPRODID) – The enclave author also assigns a Product ID to each enclave. The Product ID allows the enclave author to segment enclaves with the same enclave author identity. After an enclave is successfully initialized, the Product ID is recorded by the CPU, which can be used during attestation.
An enclave developer must provide the Security Version and Product ID of an enclave, as well as a signing key pair to generate the enclave signature. The CPU derives the identity of the enclave author from the public key whereas the private key is used to sign the enclave. The enclave measurement calculation must be performed based on the code and initial data to be placed inside the enclave, the expected order and position in which they are to be placed and the security properties of those pages. The code and initial data to be placed inside the enclave as well as the security properties of those pages are generated by the compiler, while their placement into the enclave is controlled by the enclave loader. Thus, the measurement calculation must follow the expected behavior of the enclave loader with regard to the manner of placing enclave code and initial data in the enclave.

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.