Identifying the software in Intel® SGX

The enclave software measurement

Running a process inside an Intel® SGX Enclave includes the following steps (but not limited to these steps):

  1. Constructing the process code and data in the enclave memory.

  2. Computing the enclave software measurement.

  3. Starting the enclave.

The enclave software measurement is a hashing over the enclave memory, as it was set in step 1, above.
This measurement will always be the same for the same application.
This measurement will always be different between two different applications.

In Intel® SGX terminology, the enclave measurement is referred to as MRENCLAVE.

The enclave signature

An organization should have a private key, used for signing, with which it will sign the software measurements of its enclaves. As will be explained later on in this document, this will provide a way to verify that a running enclave is coming from your organization.
Signing the enclave measurement with this signing key produces the enclave signature.

In Intel® SGX terminology, the MRSIGNER is the hash of the public key, corresponding to the private key used for the signing.

The enclave attestation quote

When running an enclave in Intel® SGX, the following is happening:

  1. Constructing the process code and data in the enclave memory.

  2. Providing the signature and the public key to the Intel® SGX infrastructure.

  3. Asking the Intel® SGX infrastructure to start the enclave.

The Intel® SGX infrastructure in turn does the following:

  1. Computes the enclave software measurement.

  2. Ensures that the provided signed measurement and the public key match the actual computed software measurement of the enclave.
    The Intel® SGX infrastructure now holds two additional values in relation to that enclave:

    • The enclave software measurement - MRENCLAVE.

    • The hashing of the public key - MRSIGNER.

  3. Starts running the software in the enclave.

Upon request, the Intel® SGX infrastructure generates an attestation quote.
This attestation quote is a cryptographically signed document that contains the following:

  1. Proof that this attestation quote is coming from an Intel® SGX Secure Enclave.
    (One cannot create a valid attestation quote if not running inside an Intel® SGX Enclave.)

  2. The MRENCLAVE and MRSIGNER values of that enclave.

As the attestation quote is cryptographically signed, there is no way for someone to create a false representation of the quote, or to change the inner fields of the quote, such as the MRENCLAVE or MRSIGNER values.

Closing the loop - attestation-aware services

The value of the attestation quote is achieved when using attestation-aware services. These are services that can receive an attestation quote from an enclave, verify that it is a real attestation quote coming from a real Intel® SGX Enclave, and extract the MRENCLAVE and MRSIGNER values.

For example, a server running in an enclave can provide its attestation quote to clients, including the enclave’s public key in the user data field. An attestation-aware client can verify the attestation quote to establish trust, and use the enclave’s public key to encrypt future communications. The Anjuna SGX Runtime makes it easy for the enclave to generate Intel® SGX attestation quotes using the generate_quote syscall.

In another example, an attestation-aware secret management system can define an access policy, which provides a secret only if the requesting enclave provides a valid attestation quote. The system can check MRSIGNER to ensure that the enclave was signed by a trusted organization that has access to a certain private signing key. It can also check MRENCLAVE to ensure that the enclave is a specific application with a particular software measurement. The Anjuna Policy Manager (APM) is attestation-aware; when the enclave is configured to fetch secrets from the APM, the Anjuna SGX Runtime will automatically authenticate using the enclave’s attestation quote.