Production Signing Fortanix Confidential Computing Manager Application Enclaves

Introduction

This article will describe how to use the "enclaveos-signer" application for production signing Fortanix Confidential Computing Manager (CCM) converted containers.

Enclaveos-signer

enclaveos-signer is an independent utility to sign Fortanix CCM converted containers with your Intel enclave production signing key. Please follow code-signing guidelines/rituals from your organization while using this tool.

Prerequisites

  1. Request a production enclave signing key from Intel to sign production enclaves. Follow the instructions in the URL below to submit a request to Intel.
    https://software.intel.com/en-us/sgx/request-license
  2. Also, you would have to assign ISVSVN and ISVPRODID parameters for your application. The Intel SGX documentation below provides more information on these fields.
    https://software.intel.com/en-us/blogs/2016/12/20/overview-of-an-intel-software-guard-extensions-enclave-life-cycle

Installation

The application requires a python3 environment (3.6 or older) on your system. You should install pip3 package manager.

sudo apt-get -y install python3-pip

 Install the dependencies for enclaveos-signer.

pip3 install -r requirements.txt

Production Signing Workflow

enclaveos-signer works with Fortanix CCM converted container images. You can use the tool to sign a converted container by providing the input container image and enclave signing keys to the command line. Please use the tool to help you get started with the flow.

chmod +x enclaveos-signer
./enclaveos-signer -h

The application can be signed with debug keys for running in SGX debug mode. The URL below has more details from Intel on debugging and production enclaves:

https://software.intel.com/en-us/blogs/2016/01/07/intel-sgx-debug-production-prelease-whats-the-difference

During the signing process, we generate an Enclave Signature of the application. Enclave Signature generation is described in the Intel SGX documentation here:

https://software.intel.com/en-us/node/702979

Production enclaves require valid Intel enclave signing keys enforced by CPU and IAS remote attestation. Please use debug enclaves if you need to just test the enclave-signer flow with your converted applications.

Here is a brief description of enclave-signer input parameter :

  • The Enclave Author’s Public Key - This can be the production or debug key used for enclave signatures.
  • The Security Version Number of the Enclave (ISVSVN) – The enclave author assigns a Security Version Number (SVN) to each version of an enclave.
  • The Product ID of the Enclave (ISVPRODID) - The enclave author also assigns a Product ID to each enclave.

Sample Signing Request for Debug Enclaves

To generate a debug signing key (RSA private key size 3072-bit):

openssl genrsa -3 -out private_rsa_key.pem 3072
./enclaveos-signer --container <registery>/converter-app-sgx-output <registery>/app-sgx-production --isvsvn <version num> --isvprodid <produt id> -key <path to signing key>

Sample Signing Request for Production Enclaves

./enclaveos-signer --container <registery>/converter-app-sgx-output <registery>/app-sgx-production --isvsvn <version num> --isvprodid <produt id> --production -key <path to signing key>
Was this article helpful?
0 out of 0 found this helpful