| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 |
- <!--------------------------------------------------------------------------->
- <!-- Copyright (c) 2016 Intel Corporation. -->
- <!-- -->
- <!-- All rights reserved. This program and the accompanying materials -->
- <!-- are made available under the terms of the Eclipse Public License v1.0 -->
- <!-- which accompanies this distribution, and is available at -->
- <!-- http://www.eclipse.org/legal/epl-v10.html -->
- <!-- -->
- <!-- Contributors: -->
- <!-- Intel Corporation - initial implementation and documentation -->
- <!--------------------------------------------------------------------------->
- <?xml version="1.0" encoding="utf-8"?>
- <html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd" MadCap:lastBlockDepth="4" MadCap:lastHeight="1991" MadCap:lastWidth="680">
- <head><title>Two Steps Sign Enclave</title>
- <link href="Resources/Stylesheets/intel_css_styles.css" rel="stylesheet" type="text/css" />
- </head>
- <body>
- <h2>Two Steps Sign Enclave</h2>
- <p>To help you develop enclaves, Intel(R) Software Guard Extensions Eclipse Plug-in generates all required structure including:</p>
- <ul>
- <li>c/c++ files and header files</li>
- <li><code>.edl</code> file</li>
- <li><code>*.config.xml</code> file</li>
- <li>a sample Makefile</li>
- <li>a sample signing key</li>
- </ul>
- <p>While these structure might be appropriate for development and debugging, you need a 2-step process to integrate your own signing schema for generating production enclaves.</p>
- <ol>
- <li>Generate hash: the signer tool generates signing material from the unsigned compiled enclave and from the configuration file for the enclave. The signed material comes as an opaque sequence of bytes which are put in a file with extension <code>.hex</code>. This file is used with the external signing facility. You come back with a signature for the <code>.hex</code> file plus the public key of your signing facility, and proceed to Step 2.</li>
- <li>Generate signed enclaves : the signer tool generates the final signed enclave.</li>
- </ol>
- <p>To complete this task, provide the following input parameters:</p>
- <ul>
- <li>The unsigned enclave</li>
- <li>The configuration file</li>
- <li>The output file produced when you generate hash (the <code>.hex</code> file)</li>
- <li>The files produced by the external signing facility: the signature of the .hex file and public key for it</li>
- <li>The plugin checks if the input parameters are consistent:</li>
- <li>The <code>.hex</code> file matches the unsigned enclave and the configuration file,</li>
- <li>The signed material is verified with the public key</li>
- </ul>
- <p>If the parameters are consistenet, the production signed enclave is produced.</p>
- <div class="NoteCont">
- <p class="NoteTipHead">NOTE:</p>
- <p>If you generate signed enclave right after generating hash, you can only enter the parameters specific for generating signed enclave.</p>
- </div>
- <p>To use the two-step signing function, activate the configuration <b>SGX Hardware Release mode</b>. When this configuration is active, the compilation does not produce a signed enclave, as in the other SGX configurations; the process only produces unsigned enclaves.</p>
- <p>
- <img src="Resources/Images/Configure_SGX_Hardware_Release_Mode.png" />
- </p>
- <p class="figcap">Configure SGX Hardware Release Mode</p>
- <p>When you configure the plugin in the <b>SGX Hardware Release Mode</b>, you can see the <b>Generate Hash</b> and <b>Generate Signed Enclave</b> options through <b>Software Guard Extension Tools->Two Step Sign Enclave</b>.</p>
- <p>
- <img src="Resources/Images/Two_Step_Sign_Enclave_Menu.png" />
- </p>
- <p class="figcap">Two Step Sign Enclave Menu</p>
- </body>
- </html>
|
