background image

39-6 Vol. 3D

ENCLAVE OPERATION

The values of the Measurement Registers are included in attestations to identify the enclave to remote parties. The 
MRs are also included in most keys, binding keys to enclaves with specific MRs. 

39.4.1.1   MRENCLAVE

MRENCLAVE is a unique 256 bit value that identifies the code and data that was loaded into the enclave during the 
initial launch. It is computed as a SHA256 hash that is initialized by the ECREATE leaf function. EADD and EEXTEND 
leaf functions record information about each page and the content of those pages. The EINIT leaf function finalizes 
the hash, which is stored in SECS.MRENCLAVE. Any tampering with the build process, contents of a page, page 
permissions, etc will result in a different MRENCLAVE value. 
Figure 39-2 illustrates a simplified flow of changes to the MRENCLAVE register when building an enclave:

Enclave creation with ECREATE.

Copying a non-enclave source page into the EPC of an un-initialized enclave with EADD.

Updating twice of the MRENCLAVE after modifying the enclave’s page content, i.e. EEXTEND twice.

Finalizing the enclave build with EINIT.

Details on specific values inserted in the hash are available in the individual instruction definitions.

39.4.1.2   MRSIGNER

Each enclave is signed using a 3072 bit RSA key. The signature is stored in the SIGSTRUCT. In the SIGSTRUCT, the 
enclave's signer also assigns a product ID (ISVPRODID) and a security version (ISVSVN) to the enclave. 
MRSIGNER is the SHA-256 hash of the signer's public key.
In attestation, MRSIGNER can be used to allow software to approve of an enclave based on the author rather than 
maintaining a list of MRENCLAVEs. It is used in key derivation to allow software to create a lineage of an applica-
tion. By signing multiple enclaves with the same key, the enclaves will share the same keys and data. Combined 
with security version numbering, the author can release multiple versions of an application which can access keys 
for previous versions, but not future versions of that application.

Figure 39-2.  Measurement Flow of Enclave Build Process

SHA_INIT

MRENCLAVE

SHA_UPDATE

MRENCLAVE

SHA_UPDATE

MRENCLAVE

SHA_UPDATE

MRENCLAVE

SHA_FINAL

MRENCLAVE

Page
Metadata

Data
Chunk 1

Data
Chunk 2

Chunk 1
Metadata

Chunk 2
Metadata

ECREATE

EADD

EEXTEND

EEXTEND

EINIT