Intel SGX¶
How to use the Intel SGX platform¶
CCF must run on an Intel CPU which supports SGX.
To use SGX, in the enclave configuration section, the enclave platform
should be set to SGX
, and type
to Release
or Debug
, depending on the enclave build type.
Attestation¶
SGX attestations provide a measurement of the code loaded into the enclave, which CCF stores in the nodes.code_ids table. New nodes joining a network will provide their measurement and the primary will perform an identity check against the table entries.
The first node in a new network will add its code id to the table. Members can then manage which code ids are present in the table with the add_node_code
and remove_node_code
actions.
Once the proposal has been accepted, nodes running the new code are authorised to join the network. Nodes running older versions of the code can then be retired and stopped.
Note
The identity of the code (mrenclave
) can be found by running the oesign
utility provided by Open Enclave :
$ /opt/openenclave/bin/oesign dump -e enclave_library
=== Entry point:
name=_start
address=000000000097fa38
=== SGX Enclave Properties:
product_id=1
security_version=1
debug=1
xfrm=0
num_heap_pages=50000
num_stack_pages=1024
num_tcs=8
mrenclave=3175971c02d00c1a8f9dd23ca89e64955c5caa94e24f4a3a0579dcfb2e6aebf9