> the client fetches a signed document from the enclave which includes a hash of the running code signed
Why couldn't the enclave claim to be running an older hash?
This is enforced by the hardware (that’s where the root of trust goes back to NVDIA+AMD). The hardware will only send back signed enclave hashes of the code it’s running and cannot be coerced by us (or anyone else) into responding with a fake or old measurement.