SGX Identity

SgxIdentity

A high-level representation of the identity of an SGX enclave, which includes the properties of its code identity (sgx.CodeIdentity) and the security-relevant properties of its execution environment (sgx.MachineConfiguration).

Field Type Description
code_identity asylo.sgx.CodeIdentity

Required.

machine_configuration asylo.sgx.MachineConfiguration

Required.

SgxIdentityExpectation

A verifier’s expectation on an SgxIdentity.

Field Type Description
reference_identity SgxIdentity

Reference identity matched against the target identity per match_spec. Required.

match_spec SgxIdentityMatchSpec

Specification of which fields from the target enclave identity to match. Required.

SgxIdentityMatchSpec

Specification of which fields from SgxIdentity to match.

Field Type Description
code_identity_match_spec asylo.sgx.CodeIdentityMatchSpec

Required.

machine_configuration_match_spec asylo.sgx.MachineConfigurationMatchSpec

Required.

asylo.sgx.CodeIdentity

An enclave’s code identity as specified by the SGX architecture. Some of the fields in this proto are required fields, while others are optional fields (this is indicated in the comments for individual fields). If a required field is missing, then the entire proto is considered invalid. On the other hand, it is OK for an optional field to be missing, if the enclave identity verifier does not care about matching that particular field (as specified by the CodeIdentityMatchSpec proto).

Field Type Description
mrenclave Sha256HashProto

SHA256 hash of a string representing the enclave build process (see Intel Software Developer’s Manual for futher explanation). Optional.

signer_assigned_identity asylo.sgx.SignerAssignedIdentity

Identity assigned by the signer of the enclave to this enclave. Required.

miscselect uint32

Extended information about the enclave (see Intel Software Developer’s Manual for details). Required.

attributes asylo.sgx.Attributes

ATTRIBUTES bit vector defined by SGX architecture. It holds various potentially security-sensitive attributes of the enclave. Required.

asylo.sgx.CodeIdentityMatchSpec

Specification of which fields from CodeIdentity to match.

Field Type Description
is_mrenclave_match_required bool

Flag indicating whether to perform a match on MRENCLAVE. Required.

is_mrsigner_match_required bool

Flag indicating whether to perform a match on MRSIGNER. Required.

miscselect_match_mask uint32

Mask indicating which bits from MISCSELECT must be matched. A value of one in a bit position implies the corresponding bit in MISCSELECT must be matched. Value of zero implies the corresponding bit must be ignored. Note that this is a required field. If this field is skipped, no CodeIdentity will match this identity expectation. Required.

attributes_match_mask asylo.sgx.Attributes

Mask indicating which bits from ATTRIBUTES should be matched. Semantics similar to the miscselect mask. Note that this is a required field. If this field is skipped, no CodeIdentity will match this identity expectation. Required.

asylo.sgx.MachineConfiguration

Security-relevant machine configuration properties.

Field Type Description
cpu_svn asylo.sgx.CpuSvn

Optional.

sgx_type asylo.sgx.SgxType

Optional.

asylo.sgx.MachineConfigurationMatchSpec

Specification of which fields from MachineConfiguration to match.

Field Type Description
is_cpu_svn_match_required bool

Required.

is_sgx_type_match_required bool

Required.