Manifest and signature files

The rest of this section describes how the enclave measurement and signature files are computed and used with the Anjuna Runtime, as well as the recommended promotion of these pieces of data from development, to testing and up to production.

The manifest file

The manifest file is a configuration file that the Anjuna Runtime uses to configure and build the enclave before it starts running.

Creating the manifest file during the development process

During development the manifest can be created in one of the following ways:

Explicitly, by running anjuna-compile-manifest on a manifest template.
Implicitly, by running anjuna-sgxrun, which in turn will run anjuna-compile-manifest against a manifest template, and then run the process in an enclave.

anjuna-compile-manifest creates the manifest file from a manifest template file. The Anjuna tools provide a default manifest template.

There are cases where the default template is not enough, and it needs some fine tuning for the software to run successfully in the enclave. You can provide a manifest template with additional information.

The signature file

The signature file contains the following:

The signature value from signing the enclave software measurement with a certain signing key.
The public key that matches the private key that was used to sign the enclave measurements.
A subset of the enclave attributes, for example, determining whether to run in debug or production mode.

Creating the signature file during the development process

During development the signature file can be created in one of the following ways:

Explicitly, by running anjuna-sign.
Implicitly, by running anjuna-sgxrun, which in turn will run anjuna-sign, and then run the process in an enclave.

Using the manifest and signature files

When running software inside an enclave, using Anjuna Runtime, the manifest and the signature files are used. The code expects to find these files in the current working directory from which the anjuna-runtime is started.

For example:

If you run the command, anjuna-runtime /usr/bin/python3 my_app.py from the directory, ~user/my_app

then Anjuna runtime looks for the following files in that same directory (~user/my_app):

The manifest file, python3.manifest.sgx
The signature file, python3.sig

The anjuna-runtime then creates the enclave, builds the enclave according to the data in the manifest file, provides the signature to the Intel® SGX infrastructure and asks the Intel® SGX infrastructure to start the enclave.

Another way to run software in the enclave is using anjuna-sgxrun.
The anjuna-sgxrun is a script that wraps anjuna-runtime, and in the case where the manifest or signature files do not exist or are deemed outdated, creates them by calling the relevant tools, as mentioned earlier.