Suppose you have a program that uses SGX. Perhaps this program requires some public keys which it uses as a root of trust. Presumably you've baked these public keys into your program, you load this binary with the code+public keys into the enclave and execute it.
Now, how do you know that malware didn't modify the public key sitting in your binary before your code was loaded into the enclave? You need hardware to ensure that it only loads your code and not the modified code. This is where Intel's signing process comes in. There isn't really any way around it.
Not necessarily. The enclave's symmetric keys are bound to its identity, which is a hash of the memory and permission bits before the enclave starts to run. If the malware modifies the public key in the binary before it is loaded into the enclave, the enclave's identity (and its keys) will be completely different.
Now, how do you know that malware didn't modify the public key sitting in your binary before your code was loaded into the enclave? You need hardware to ensure that it only loads your code and not the modified code. This is where Intel's signing process comes in. There isn't really any way around it.