“EINIT指令过程”涉及到一个签名结构体SIGSTRUCT。
Metadata元数据
代码如下:
typedef struct _metadata_t
{
uint64_t magic_num; /* The magic number identifying the file as a signed enclave image */
uint64_t version; /* The metadata version */
uint32_t size; /* The size of this structure */
uint32_t tcs_policy; /* TCS management policy */
uint32_t ssa_frame_size; /* The size of SSA frame in page */
uint32_t max_save_buffer_size; /* Max buffer size is 2632 */
uint32_t desired_misc_select;
uint32_t tcs_min_pool; /* TCS min pool*/
uint64_t enclave_size; /* enclave virtual size */
sgx_attributes_t attributes; /* XFeatureMask to be set in SECS. */
enclave_css_t enclave_css; /* The enclave signature */
data_directory_t dirs[DIR_NUM];
uint8_t data[18592];
}metadata_t;
Enclave文件面有一个metadata的数据结构,它里面保存着enclave_css_t,这个enclave_css_t就是SIGSTRUCT.
SIGSTRUCT
代码如下:
typedef struct _enclave_css_t { /* 1808 bytes */
css_header_t header; /* (0) */
css_key_t key; /* (128) */
css_body_t body; /* (900) */
css_buffer_t buffer; /* (1028) */
} enclave_css_t;
typedef struct _css_header_t { /* 128 bytes */
uint8_t header[12]; /* (0) must be (06000000E100000000000100H) */
uint32_t type; /* (12) bit 31: 0 = prod, 1 = debug; Bit 30-0: Must be zero */
uint32_t module_vendor; /* (16) Intel=0x8086, ISV=0x0000 */
uint32_t date; /* (20) build date as yyyymmdd */
uint8_t header2[16]; /* (24) must be (01010000600000006000000001000000H) */
uint32_t hw_version; /* (40) For Launch Enclaves: HWVERSION != 0. Others, HWVERSION = 0 */
uint8_t reserved[84]; /* (44) Must be 0 */
} css_header_t;
typedef struct _css_key_t { /* 772 bytes */
uint8_t modulus[SE_KEY_SIZE]; /* (128) Module Public Key (keylength=3072 bits) */
uint8_t exponent[SE_EXPONENT_SIZE]; /* (512) RSA Exponent = 3 */
uint8_t signature[SE_KEY_SIZE]; /* (516) Signature over Header and Body */
} css_key_t;
typedef struct _css_body_t { /* 128 bytes */
sgx_misc_select_t misc_select; /* (900) The MISCSELECT that must be set */
sgx_misc_select_t misc_mask; /* (904) Mask of MISCSELECT to enforce */
uint8_t reserved[4]; /* (908) Reserved. Must be 0. */
sgx_isvfamily_id_t isv_family_id; /* (912) ISV assigned Family ID */
sgx_attributes_t attributes; /* (928) Enclave Attributes that must be set */
sgx_attributes_t attribute_mask; /* (944) Mask of Attributes to Enforce */
sgx_measurement_t enclave_hash; /* (960) MRENCLAVE - (32 bytes) */
uint8_t reserved2[16]; /* (992) Must be 0 */
sgx_isvext_prod_id_t isvext_prod_id; /* (1008) ISV assigned Extended Product ID */
uint16_t isv_prod_id; /* (1024) ISV assigned Product ID */
uint16_t isv_svn; /* (1026) ISV assigned SVN */
} css_body_t;
typedef struct _css_buffer_t { /* 780 bytes */
uint8_t reserved[12]; /* (1028) Must be 0 */
uint8_t q1[SE_KEY_SIZE]; /* (1040) Q1 value for RSA Signature Verification */
uint8_t q2[SE_KEY_SIZE]; /* (1424) Q2 value for RSA Signature Verification */
} css_buffer_t;
聚合一下如下图所示:
这个结构体就是Enclave的签名,里面包含的ENCLAVEHASH(MRENCLAVE)等信息会在EINIT指令初始化过程中使用到。