practical verification of MRSIGNER

[nmwael]

This might not be gramine related.

We are trying to verify that the MRSIGNER field are originating from our enclave-signer.pem generated with gramine-sgx-gen-private-key

In a shell i've tried this:
sha256sum /.config/gramine/enclave-key.pem
which outputs 9755ea2a4e23a3136d28d1d171ee2fbcf150d3b264da8c7d59366230fe83cf68

And then compared it to the MRSIGNER field output from gramine-sgx-quote-dump

They are not matching, so I must be doing something wrong?

The enclave-key.pem was used together with gramine-sgx-sign..

[dimakuv]

First of all, enclave-key.pem is the private key. Whereas MRSIGNER is the hash of the corresponding public key.

Second of all, your file is .pem which implies it is formatted in the PEM encoding. However, I think the MRSIGNER is taken over the public key in raw-binary format (which is DER). Tools like OpenSSL allow you to perform PEM -> DER encoding (though it is trivial to do it manually too).

You can check more about MRSIGNER in Intel SDM, Vol. 3, Chapter 35.4.1.2.

[nmwael]

Okay that explains, we also tried generating an RSA public key which are in pub format..

Looking into
36.4.1.2 of describes it as you mention.
https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html

However following the dcap documentation here they left out the part of it being the public key. on page 66 and just write
MRSIGNER 32 Byte Array Hash of enclave signing key.
https://download.01.org/intel-sgx/sgx-dcap/1.16/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf

Thanks again for your help.

[nmwael]

So this is what we've done so far:

openssl rsa -in enclave-key.pem -inform PEM -out der.public -pubout -outform DER
sha256sum der.public

But still it does not match ?

[dimakuv]

@nmwael This was indeed pretty hard. I spent an hour figuring this out, and here's the final command:

openssl rsa -in enclave-key.pem -inform PEM -noout -modulus | cut -d= -f2- | fold -w2 | tac | tr --delete '\n' | xxd -r -p | sha256sum

So what happens here is:

1. We need to get the modulus (not the public key itself).
2. OpenSSL prints the modulus as Modulus=F290..., so we remove the Modulus= prefix using cut.
3. OpenSSL prints the modulus as a hex string but in big-endian format, however Intel SGX requires the modulus to be hashed in little-endian format, so we do the trick of fold | tac, which swaps the bytes in hex representation.
4. Then we delete the newline character using tr.
5. Then we decode the hex string into a raw binary using xxd.
6. Finally we have the 3072-bit raw binary sequence in little endian, time to sha256sum it.

Done! The resulting value is the same as MRSIGNER (in my experiments).

[dimakuv]

Intel SDM (and other Intel documentation) is really bad in this regard... I had to google a lot, and look at the sources of SGX open source projects (including in our Gramine sources :)).

[nmwael]

I can confirm it is working in our running environment.. Again thanks