编译enclave程序的时候,比如frontend的enclave,我看到脚本sgx_link_sign上是使用了enclave_signing_key.pem
来对其进行签名生成一个签名共享库sign.so.
有两个问题
1、这个enclave_signing_key.pem是在哪里进行生成的没找到?还是说自己线下使用opessl就可以生成 不需要任何sgxsdk的参与?
2、app启动enclave的时候 我看到最后的binder.rs SgxEnclave::create
最后生成了enclave并没有指定enclave_signing_key.pem来生成这个enclave?没
1. Enclave's signing keys are generated on your own using tools like OpenSSL.
This is an RSA asymmetric key pair. The `enclave_signing_key.pem` is the
**private key** that is used by the `sgx_sign` tool to generate the signature
of the enclave. The private key is crucial for the proof of the ide
哦哦
就是在sgx_sign的时候使用enclave_signing_key.pem对其进行签名之后生成的enclave.sign.so/enclave.so这个库里面就自动包含有了enclave_signing_key.pem对应的公钥了是吗?
然后如果是这样的话,那enclave.sign.so/enclave.so这个库文件如果被其他人拿到,那其他人会不会窃取到里面的信息比如里面的程序代码?
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teacl
Yes, you are correct. The public key is contained in `enclave.signed.so` if
properly signed by `sgx_sign`. `enclave.signed.so` itself, however, is not
encrypted, so if this shared library is somehow leaked, other unauthorized
entities are able to steal the binary's code.
--
Reply to this email
好的,明白
那还有个问题,你上面说到的当enclave被加载时,硬件会进行验证,被篡改的enclave.so会被拒绝。这个过程是怎么进行的?加载时如果enclave.so被篡改了,那里面的公钥也会跟着发生变化,然后硬件验证的时候会使用签名时的私钥对这个公钥进行验证,是这样吗还是?
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537080825
You are receiving this
You are kindly referred to these materials for in-depth details:
*
[overview-signing-whitelisting-intel-sgx-enclaves.pdf](https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf).
* [Intel SGX explained](https://eprint.iacr.org/2016/
Closed #690 as completed.
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#event-9185281143
You are receiving this because you are subscribed to this thread.
Message ID:
ok thanks~
--
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537587042
You are receiving this because you are subscribed to this thread.
Message ID: