SIGSTRUCT，Enclave Signature Structure（签名结构体）

“EINIT指令过程”涉及到一个签名结构体SIGSTRUCT。

Metadata元数据

代码如下：

typedef struct _metadata_t 
{
    uint64_t            magic_num;             /* The magic number identifying the file as a signed enclave image */
    uint64_t            version;               /* The metadata version */
    uint32_t            size;                  /* The size of this structure */
    uint32_t            tcs_policy;            /* TCS management policy */
    uint32_t            ssa_frame_size;        /* The size of SSA frame in page */
    uint32_t            max_save_buffer_size;  /* Max buffer size is 2632 */
    uint32_t            desired_misc_select;
    uint32_t            tcs_min_pool;          /* TCS min pool*/         
    uint64_t            enclave_size;          /* enclave virtual size */
    sgx_attributes_t    attributes;            /* XFeatureMask to be set in SECS. */
    enclave_css_t       enclave_css;           /* The enclave signature */
    data_directory_t    dirs[DIR_NUM];
    uint8_t             data[18592];
}metadata_t;

Enclave文件面有一个metadata的数据结构，它里面保存着enclave_css_t，这个enclave_css_t就是SIGSTRUCT.

SIGSTRUCT

代码如下：

typedef struct _enclave_css_t {        /* 1808 bytes */
    css_header_t    header;             /* (0) */
    css_key_t       key;                /* (128) */
    css_body_t      body;               /* (900) */
    css_buffer_t    buffer;             /* (1028) */
} enclave_css_t;

typedef struct _css_header_t {        /* 128 bytes */
    uint8_t  header[12];                /* (0) must be (06000000E100000000000100H) */
    uint32_t type;                      /* (12) bit 31: 0 = prod, 1 = debug; Bit 30-0: Must be zero */
    uint32_t module_vendor;             /* (16) Intel=0x8086, ISV=0x0000 */
    uint32_t date;                      /* (20) build date as yyyymmdd */
    uint8_t  header2[16];               /* (24) must be (01010000600000006000000001000000H) */
    uint32_t hw_version;                /* (40) For Launch Enclaves: HWVERSION != 0. Others, HWVERSION = 0 */
    uint8_t  reserved[84];              /* (44) Must be 0 */
} css_header_t;

typedef struct _css_key_t {           /* 772 bytes */
    uint8_t modulus[SE_KEY_SIZE];       /* (128) Module Public Key (keylength=3072 bits) */
    uint8_t exponent[SE_EXPONENT_SIZE]; /* (512) RSA Exponent = 3 */
    uint8_t signature[SE_KEY_SIZE];     /* (516) Signature over Header and Body */
} css_key_t;

typedef struct _css_body_t {             /* 128 bytes */
    sgx_misc_select_t    misc_select;    /* (900) The MISCSELECT that must be set */
    sgx_misc_select_t    misc_mask;      /* (904) Mask of MISCSELECT to enforce */
    uint8_t              reserved[4];    /* (908) Reserved. Must be 0. */
    sgx_isvfamily_id_t   isv_family_id;  /* (912) ISV assigned Family ID */
    sgx_attributes_t     attributes;     /* (928) Enclave Attributes that must be set */
    sgx_attributes_t     attribute_mask; /* (944) Mask of Attributes to Enforce */
    sgx_measurement_t    enclave_hash;   /* (960) MRENCLAVE - (32 bytes) */
    uint8_t              reserved2[16];  /* (992) Must be 0 */
    sgx_isvext_prod_id_t isvext_prod_id; /* (1008) ISV assigned Extended Product ID */
    uint16_t             isv_prod_id;    /* (1024) ISV assigned Product ID */
    uint16_t             isv_svn;        /* (1026) ISV assigned SVN */
} css_body_t;

typedef struct _css_buffer_t {         /* 780 bytes */
    uint8_t  reserved[12];              /* (1028) Must be 0 */
    uint8_t  q1[SE_KEY_SIZE];           /* (1040) Q1 value for RSA Signature Verification */
    uint8_t  q2[SE_KEY_SIZE];           /* (1424) Q2 value for RSA Signature Verification */
} css_buffer_t;

聚合一下如下图所示：

这个结构体就是Enclave的签名，里面包含的ENCLAVEHASH（MRENCLAVE）等信息会在EINIT指令初始化过程中使用到。