[apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-05 Thread gjj
编译enclave程序的时候,比如frontend的enclave,我看到脚本sgx_link_sign上是使用了enclave_signing_key.pem 来对其进行签名生成一个签名共享库sign.so. 有两个问题 1、这个enclave_signing_key.pem是在哪里进行生成的没找到?还是说自己线下使用opessl就可以生成 不需要任何sgxsdk的参与? 2、app启动enclave的时候 我看到最后的binder.rs SgxEnclave::create 最后生成了enclave并没有指定enclave_signing_key.pem来生成这个enclave?没

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-05 Thread Hiroki (Haobin) Chen
1. Enclave's signing keys are generated on your own using tools like OpenSSL. This is an RSA asymmetric key pair. The `enclave_signing_key.pem` is the **private key** that is used by the `sgx_sign` tool to generate the signature of the enclave. The private key is crucial for the proof of the ide

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-05 Thread gjj
哦哦 就是在sgx_sign的时候使用enclave_signing_key.pem对其进行签名之后生成的enclave.sign.so/enclave.so这个库里面就自动包含有了enclave_signing_key.pem对应的公钥了是吗? 然后如果是这样的话,那enclave.sign.so/enclave.so这个库文件如果被其他人拿到,那其他人会不会窃取到里面的信息比如里面的程序代码? -- Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teacl

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-06 Thread Hiroki (Haobin) Chen
Yes, you are correct. The public key is contained in `enclave.signed.so` if properly signed by `sgx_sign`. `enclave.signed.so` itself, however, is not encrypted, so if this shared library is somehow leaked, other unauthorized entities are able to steal the binary's code. -- Reply to this email

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-06 Thread gjj
好的,明白 那还有个问题,你上面说到的当enclave被加载时,硬件会进行验证,被篡改的enclave.so会被拒绝。这个过程是怎么进行的?加载时如果enclave.so被篡改了,那里面的公钥也会跟着发生变化,然后硬件验证的时候会使用签名时的私钥对这个公钥进行验证,是这样吗还是? -- Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537080825 You are receiving this

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-06 Thread Hiroki (Haobin) Chen
You are kindly referred to these materials for in-depth details: * [overview-signing-whitelisting-intel-sgx-enclaves.pdf](https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf). * [Intel SGX explained](https://eprint.iacr.org/2016/

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-09 Thread gjj
Closed #690 as completed. -- Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/690#event-9185281143 You are receiving this because you are subscribed to this thread. Message ID:

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

2023-05-09 Thread gjj
ok thanks~ -- Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537587042 You are receiving this because you are subscribed to this thread. Message ID: