SGX Identity

This package defines messages for SGX identity and identity expectations.

SgxIdentity

A high-level representation of the identity of an SGX enclave, which includes the properties of its code identity (sgx.CodeIdentity) and the security-relevant properties of its execution environment (sgx.MachineConfiguration).

Field	Type	Description	Required
`code_identity`	`CodeIdentity`	The enclave’s code identity properties. Required.	No
`machine_configuration`	`MachineConfiguration`	Describes the security-relevant configuration of the machine on which the enclave is running. Required.	No

SgxIdentityMatchSpec

Specification of which fields from SgxIdentity to match.

Field	Type	Description	Required
`code_identity_match_spec`	`CodeIdentityMatchSpec`	A specification of which fields from `CodeIdentity` to match. Required.	No
`machine_configuration_match_spec`	`MachineConfigurationMatchSpec`	A specification of which fields from `MachineConfiguration` to match. Required.	No

SgxIdentityExpectation

A verifier’s expectation on an SgxIdentity.

Field	Type	Description	Required
`reference_identity`	`SgxIdentity`	Reference identity matched against the target identity per `match_spec`. Required.	No
`match_spec`	`SgxIdentityMatchSpec`	Specification of which fields from the target enclave identity to match. Required.	No

asylo.sgx.CodeIdentity

An enclave’s code identity as specified by the SGX architecture. Some of the fields in this proto are required fields, while others are optional fields (this is indicated in the comments for individual fields). If a required field is missing, then the entire proto is considered invalid. On the other hand, it is OK for an optional field to be missing, if the enclave identity verifier does not care about matching that particular field (as specified by the CodeIdentityMatchSpec proto).

Field	Type	Description	Required
`mrenclave`	`Sha256HashProto`	SHA256 hash of a string representing the enclave build process (see Intel Software Developer’s Manual for futher explanation). Optional.	No
`signer_assigned_identity`	`SignerAssignedIdentity`	Identity assigned by the signer of the enclave to this enclave. Required.	No
`miscselect`	`uint32`	Extended information about the enclave (see Intel Software Developer’s Manual for details). Required.	No
`attributes`	`Attributes`	ATTRIBUTES bit vector defined by SGX architecture. It holds various potentially security-sensitive attributes of the enclave. Required.	No

asylo.sgx.MachineConfiguration

Security-relevant machine configuration properties.

Field	Type	Description	Required
`cpu_svn`	`CpuSvn`	Optional.	No
`sgx_type`	`SgxType`	Optional.	No

asylo.sgx.CodeIdentityMatchSpec

Specification of which fields from CodeIdentity to match.

Field	Type	Description	Required
`is_mrenclave_match_required`	`bool`	Flag indicating whether to perform a match on MRENCLAVE. Required.	No
`is_mrsigner_match_required`	`bool`	Flag indicating whether to perform a match on MRSIGNER. Required.	No
`miscselect_match_mask`	`uint32`	Mask indicating which bits from MISCSELECT must be matched. A value of one in a bit position implies the corresponding bit in MISCSELECT must be matched. Value of zero implies the corresponding bit must be ignored. Note that this is a required field. If this field is skipped, no `CodeIdentity` will match this identity expectation. Required.	No
`attributes_match_mask`	`Attributes`	Mask indicating which bits from ATTRIBUTES should be matched. Semantics similar to the miscselect mask. Note that this is a required field. If this field is skipped, no `CodeIdentity` will match this identity expectation. Required.	No

asylo.sgx.MachineConfigurationMatchSpec

Specification of which fields from MachineConfiguration to match.

Field	Type	Description	Required
`is_cpu_svn_match_required`	`bool`	Required.	No
`is_sgx_type_match_required`	`bool`	Required.	No