Intel SGX: Reproduce enclave measurement from enclave binary

Question

I have a question about the enclave measurement in Intel SGX. Judging by the SignTool source code (and high-level description in the manual), it seems like measurement involves loading the enclave file (ELF or PE). But the result of loading varies on different platforms, right? I wonder if I can reproduce consistent enclave measurement from an enclave binary.

In particular, I'm considering the following scenarios: Suppose I want to distribute an enclave.signed.so to my users and I only want to serve requests from that particular enclave. I guess I can't simply compare the local measurement on my platform with users' (can be included in their attestations). What should I do instead?

Essentially the question boils down to how to link the binary and the measurement cryptographically? There seems to be a paradox: suppose I have the enclave binary, the only way I can get its measurement is to load it. However, the loading process is not trusted (done by OS)! How can I ensure the measurement I get is indeed for that particular binary? I must have misunderstood something because this seems critical to the entire validity of SGX. Please correct me.

Thanks!

Answer 1

You are right, to establish the "real" enclave measurement you need a trustworthy system.

The measurement of an enclave is done by the processor. It permutes the measurement value with each enclave creation steps/instruction. The specification explains this permutations in quite some detail. For example the pseudo code of ECREATE contains this statement about the measurement field:

(* Initialize hash updates etc*)
Initialize enclave’s MRENCLAVE update counter;
(* Add “ECREATE” string and SECS fields to MRENCLAVE *)
TMPUPDATEFIELD[63:0] = 0045544145524345H; // “ECREATE”
TMPUPDATEFIELD[95:64] = DS:TMP_SECS.SSAFRAMESIZE;
TMPUPDATEFIELD[159:96] = DS:TMP_SECS.SIZE;
TMPUPDATEFIELD[511:160] = 0;
SHA256UPDATE(DS:TMP_SECS.MRENCLAVE, TMPUPDATEFIELD)
INC enclave’s MRENCLAVE update counter;

Assuming theses descriptions are exhaustive and one knows the order in which the creation steps are executed by the driver, one should be able to compute an enclave's measurement without loading it. Thus, you could compute the value in an enclave. But how would compute the measurement of this enclave?