[throw_a_grenade]

You do attestation. CPU has it's own private key [1] and signs a message saying what was the initial state of the enclave. Enclave can plug "user data" into this message, which almost always is a signature over a public key for TLS private key which was generated inside the enclave. Enclave presents it to the other side of encrypted connection (i.e. you). You verify the CPU's signature so the encrypted channel established between you and owner of said private key necessarily happened between you and enclave. QED.

Obviously this assumes attacker can't extract TLS private key from the enclave. Nominally this is a central promise of SGX, but if you have some attack which allows you to read enclave's memory anyway, all of this falls apart. TFA discussess several attacks to this effect.

[1] SGX' threat model says CPU silicon is too complicated to extract this key even if you have physical access.

[hayley-patton]

Thanks. How can the network tell that it is definitely communicating with a secure enclave, and not some kind of emulator? [1] suggests that keys and signatures from Intel are burnt into CPUs, which would work. All in all it's certainly an odd thing to put trust in.

[1] https://news.ycombinator.com/item?id=21840086

[throw_a_grenade]

Yes, the keys are kept in CPU itself. AFAIK Intel doesn't disclose the exact mechanism (blown fuses, EPROM or something entirely different).

You can't get valid quote outside the enclave, because CPU doesn't provide the instruction to sign the quote outside the enclave, and you can't calculate it youself, because you don't know CPU's private key.