Distinguishing between Running Enclave Instances

Intel SGX does not provide a direct mechanism (for example, through the automatically generated REPORT fields) to distinguish between two (or more) running instances of an enclave. Two running instances of an enclave cannot be distinguished by the automatically generated data in their REPORT’s alone. To do this, you must add a nonce to the protocol you use to establish trust in the underlying enclave. To establish trust in the underlying enclave, use the RDRAND functionality of the hardware and ensure this is submitted (directly or indirectly through a cryptographic hash) as part of the userdata field included in the REPORTs exchanged between enclaves. For more information of the RDRAND functionality, see Random Number Generation.

For more complete information about compiler optimizations, see our Optimization Notice.