Figure out how to properly sign release enclaves.

[Yawning]

At some point we need to start signing enclaves with our production SGX keys. This isn't too difficult in theory, however the fortanix tooling (sgxs-sign) does not support signatures with a HSM.

As it is unacceptable to be carting around our signing key as a PEM file, this likely will require extending the tooling or writing our own.

Estimated cost: 1 sprint

[Yawning]

While we're here, we should explicity reject the MRSIGNER value 9affcfae47b848ec2caf1c49b4b283531e1cc425f93582b36806e52a43d78d1a (https://github.com/fortanix/rust-sgx/blob/master/enclave-runner/src/dummy.key).

For my future reference more than anything else MRSIGNER is derived from the SHA256 digest of the little endian representation of the modulus. Valid signing keys are always 3072 bit RSA keys, with the exponent set to 3.

[kostko]

Related upstream issue is fortanix/rust-sgx#184.

[Yawning]

The majority of the work required to support this has been done via #2893. The remaining concerns are primarily policy based, as the node will happily accept detached per-generated SIGSTRUCTs when instantiating enclaves.

[ravenac95]

Added fortanix/rust-sgx#327 to support the ideal signing process.