Identifying the Software in Intel® SGX

The Enclave Software Measurement

Running a process inside an Intel® SGX Enclave includes the following steps (but not limited to these steps):

  1. Constructing the process code and data in the enclave memory.

  2. Computing the enclave software measurement.

  3. Starting the enclave.

The enclave software measurement is a hashing over the enclave memory, as it was set in step 1, above.
This measurement will always be the same for the same application.
This measurement will always be different between two different applications.

In Intel® SGX terminology, the enclave measurement is referred to as MRENCLAVE.

The Enclave Signature

An organization should have a private key, used for signing, with which it will sign the software measurements of its enclaves. As will be explained later on in this document, this will provide a way to verify that a running enclave is coming from your organization.
Signing the enclave measurement with this signing key produces the enclave signature.

In Intel® SGX terminology, the MRSIGNER is the hash of the public key, corresponding to the private key used for the signing.

The Enclave Attestation Quote

When running an enclave in Intel® SGX, the following is happening:

  1. Constructing the process code and data in the enclave memory.

  2. Providing the signature and the public key to the Intel® SGX infrastructure.

  3. Asking the Intel® SGX infrastructure to start the enclave.

  4. The Intel® SGX infrastructure in turn does the following:

    1. Computes the enclave software measurement.

    2. Ensures that the provided signed measurement and the public key match the actual computed software measurement of the enclave.
      In such a case, the Intel® SGX infrastructure will hold two additional values in relation to that enclave:

      • The enclave software measurement - MRENCLAVE.

      • The hashing of the public key - MRSIGNER.

    3. Starts running the software in the enclave.

Upon request, the Intel® SGX infrastructure generates an attestation quote.
This attestation quote is a cryptographically signed document that contains the following:

  1. Proof that this attestation quote is coming from an Intel® SGX Secure Enclave.
    (One cannot create such an attestation quote if not running inside an Intel® SGX Enclave.)

  2. The MRENCLAVE and MRSIGNER values of that enclave.

As the attestation quote is cryptographically signed, there is no way for someone to create a false representation of such a quote, or to change the inner fields of the quote, such as the MRENCLAVE or MRSIGNER values.

Closing the Loop - Attestation Aware Services

The value of the attestation quote is achieved when using attestation aware services. These are services that can receive an attestation quote from an enclave, verify that it is a real attestation quote coming from a real Intel® SGX Enclave, and extract the MRENCLAVE and MRSIGNER values.

One example of using an attestation aware service is when client software connects to a server running in an enclave, and it receives the attestation quote from that enclave, and only if it is signed by a specific vendor will it trust the connection with that server.

Another example is of a Key Management System, which is attestation aware. In such a way one can define a policy to provide a certain secret only to an enclave with a certain MRENCLAVE value and/or MRSIGNER.
The Anjuna Policy Manager (APM) is one such attestation aware key management system.

Policies that rely on MRSIGNER allow secrets to be provided, only if the request comes from an enclave that was signed by a trusted organization that has access to a certain private signing key.

Policies that rely on MRENCLAVE allow secrets to be provided, only if the request comes from the specific application that has that specific measurement.