You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@teaclave.apache.org by gjj <no...@github.com.INVALID> on 2023/05/06 06:14:19 UTC

[apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

编译enclave程序的时候，比如frontend的enclave，我看到脚本sgx_link_sign上是使用了enclave_signing_key.pem 来对其进行签名生成一个签名共享库sign.so.
有两个问题
1、这个enclave_signing_key.pem是在哪里进行生成的没找到？还是说自己线下使用opessl就可以生成 不需要任何sgxsdk的参与？

2、app启动enclave的时候 我看到最后的binder.rs SgxEnclave::create 最后生成了enclave并没有指定enclave_signing_key.pem来生成这个enclave？没有指定也能使用吗？


-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by gjj <no...@github.com.INVALID>.

ok thanks~

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537587042
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by gjj <no...@github.com.INVALID>.

哦哦 就是在sgx_sign的时候使用enclave_signing_key.pem对其进行签名之后生成的enclave.sign.so/enclave.so这个库里面就自动包含有了enclave_signing_key.pem对应的公钥了是吗？
然后如果是这样的话，那enclave.sign.so/enclave.so这个库文件如果被其他人拿到，那其他人会不会窃取到里面的信息比如里面的程序代码？

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537071234
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by "Hiroki (Haobin) Chen" <no...@github.com.INVALID>.

Yes, you are correct. The public key is contained in `enclave.signed.so` if properly signed by `sgx_sign`. `enclave.signed.so` itself, however, is not encrypted, so if this shared library is somehow leaked, other unauthorized entities are able to steal the binary's code.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537076624
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by gjj <no...@github.com.INVALID>.

Closed #690 as completed.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#event-9185281143
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by "Hiroki (Haobin) Chen" <no...@github.com.INVALID>.

1. Enclave's signing keys are generated on your own using tools like OpenSSL. This is an RSA asymmetric key pair. The `enclave_signing_key.pem` is the **private key** that is used by the `sgx_sign` tool to generate the signature of the enclave. The private key is crucial for the proof of the identity of the enclave provider.
2. We do not need a private key to **verify** the signature as we use **public key** instead. The public key is calculated from the private key directly and is embedded in the enclave's measurement which, upon the enclave is loaded, the hardware will verify the enclave measurement. Tampered `enclave.so` will be rejected.

Hope this helps :)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537066323
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by "Hiroki (Haobin) Chen" <no...@github.com.INVALID>.

You are kindly referred to these materials for in-depth details:

* [overview-signing-whitelisting-intel-sgx-enclaves.pdf](https://www.intel.com/content/dam/develop/external/us/en/documents/overview-signing-whitelisting-intel-sgx-enclaves.pdf).
* [Intel SGX explained](https://eprint.iacr.org/2016/086.pdf) where you can find the struct called`SIGSTRUCT`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537097875
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>

Re: [apache/incubator-teaclave] 关于enclave_signing_key.pem的问题 (Issue #690)

Posted by gjj <no...@github.com.INVALID>.

好的，明白
那还有个问题，你上面说到的当enclave被加载时，硬件会进行验证，被篡改的enclave.so会被拒绝。这个过程是怎么进行的？加载时如果enclave.so被篡改了，那里面的公钥也会跟着发生变化，然后硬件验证的时候会使用签名时的私钥对这个公钥进行验证，是这样吗还是？

-- 
Reply to this email directly or view it on GitHub:
https://github.com/apache/incubator-teaclave/issues/690#issuecomment-1537080825
You are receiving this because you are subscribed to this thread.

Message ID: <ap...@github.com>