Enclave Debug and Production Modes

One of the enclave attributes, that is defined in the manifest file, indicates whether the enclave should run in debug or production mode.

When running in debug mode, a debugger can read and write from/to the enclave memory. In this way one can debug the process running in the enclave.

When running in production mode, the hardware prevents any access to the enclave memory.

To set the enclave to run in debug mode, set the value of the is_production flag in the manifest template to “false” - which is the default.

To set the enclave to run in production mode, set the value of the is_production flag in the manifest template to “true”.

You should make sure that the manifest and signature files that are being promoted to production have the is_production flag set to “true”.