If you don't trust your cloud provider i'm not sure whether SGX is the solution. Consider all those side-channel attacks.
It might provide an additional defense barrier, but you'd still want to run on trusted hardware. And if you have trusted hardware then it should be ok to use user-provided signing keys, just as you can do with secure boot configurations (at least the acceptable kind).
So as long as you're the exclusive user of a machine it should be sufficient to also hand your public key to the cloud provider so they can put it in the BIOS.
The only reason for SGX to not support that is DRM&Co.
It might provide an additional defense barrier, but you'd still want to run on trusted hardware. And if you have trusted hardware then it should be ok to use user-provided signing keys, just as you can do with secure boot configurations (at least the acceptable kind).
So as long as you're the exclusive user of a machine it should be sufficient to also hand your public key to the cloud provider so they can put it in the BIOS.
The only reason for SGX to not support that is DRM&Co.