How to Verify PCRs Match (Practically for You) #24734
-
|
Hello? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
As the system builder, your job is to put the correct PCR values into the KMS key policy. Here is your practical workflow: Build Your Enclave Image: You write your sensitive code and package it into an EIF file. Get the PCRs: When you build the EIF, the nitro-cli tool will output the PCR values (PCR0, PCR1, PCR2) for that specific image. This is the fingerprint of your trusted code. Configure the Policy: You copy these exact PCR values and paste them into the Condition block of your KMS key's policy. Deploy and Run: Now, when you run that exact enclave image, it will have the matching PCRs, and KMS will give it the key. Any other enclave (with different code or a different version) will have different PCRs and will be rejected. |
Beta Was this translation helpful? Give feedback.
As the system builder, your job is to put the correct PCR values into the KMS key policy.
Here is your practical workflow:
Build Your Enclave Image: You write your sensitive code and package it into an EIF file.
Get the PCRs: When you build the EIF, the nitro-cli tool will output the PCR values (PCR0, PCR1, PCR2) for that specific image. This is the fingerprint of your trusted code.
Configure the Policy: You copy these exact PCR values and paste them into the Condition block of your KMS key's policy.
Deploy and Run: Now, when you run that exact enclave image, it will have the matching PCRs, and KMS will give it the key. Any other enclave (with different code or a different version) will h…