search

gramineproject / graphene

Graphene / Graphene-SGX - a library OS for Linux multi-process applications, with Intel SGX support
https://grapheneproject.io
GNU Lesser General Public License v3.0
771 stars 261 forks source link

Enabled two-step signing support in graphene. #2528

Closed ying2liu closed 3 years ago

ying2liu commented 3 years ago

Currently, graphene only supports one-step signing. The two-step signing is necessary because the ISV’s private key is typically not present on the build platform. This patch enables two-step signing support in graphene.

The first step: Generate the signing material file.

The signing material is signed at the signing facility using the private key. The signature file is taken back to the building system.

The second step: Sign the enclave file using the signature file and public key.

Add three parameters in sgx_sig.py: --mode "gendata" is for two-step signing to generate the signing material; "catsig" is for two-step signing to sign the enclave file using the signature file and public key; "sign" is for one-step signing to sign the enclave file; The default mode is "sign", therefore one-step signing will be used if mode is not specified.

--sig the signature file for the enclave signing material. --unsign the enclave signing material generated by "gendata".

Change-Id: I5d45ed10f06043b2c71a91a7da138b43bb1f36df

This change is Reviewable

mkow commented 3 years ago

This was superseded by https://github.com/gramineproject/gramine/pull/72, closing.