Intel SGX uses strong industry-standard algorithms for signing enclaves. The signature of an enclave characterizes the content and the layout of the enclave at build time. If the enclave’s content and layout are not correct per the signature, the enclave fails to be initialized and does not run. If an enclave is initialized, it should be identical to the original enclave and is not modified at runtime.

_{1. From an enclave standpoint, the operating system and VMM are also not trusted components.}