Two Steps Sign Enclave

To help you develop enclaves, Intel(R) Software Guard Extensions Eclipse Plug-in generates all required structure including:

• c/c++ files and header files
• .edl file
• *.config.xml file
• a sample Makefile
• a sample signing key

While these structure might be appropriate for development and debugging, you need a 2-step process to integrate your own signing schema for generating production enclaves.

1. Generate hash: the signer tool generates signing material from the unsigned compiled enclave and from the configuration file for the enclave. The signed material comes as an opaque sequence of bytes which are put in a file with extension .hex. This file is used with the external signing facility. You come back with a signature for the .hex file plus the public key of your signing facility, and proceed to Step 2.
2. Generate signed enclaves : the signer tool generates the final signed enclave.

To complete this task, provide the following input parameters:

• The unsigned enclave
• The configuration file
• The output file produced when you generate hash (the .hex file)
• The files produced by the external signing facility: the signature of the .hex file and public key for it
• The plugin checks if the input parameters are consistent:
• The .hex file matches the unsigned enclave and the configuration file,
• The signed material is verified with the public key

If the parameters are consistenet, the production signed enclave is produced.

To use the two-step signing function, activate the configuration SGX Hardware Release mode. When this configuration is active, the compilation does not produce a signed enclave, as in the other SGX configurations; the process only produces unsigned enclaves.

Configure SGX Hardware Release Mode

When you configure the plugin in the SGX Hardware Release Mode, you can see the Generate Hash and Generate Signed Enclave options through Software Guard Extension Tools->Two Step Sign Enclave.

Two Step Sign Enclave Menu