topic sgx_create_enclave function in Intel® Software Guard Extensions (Intel® SGX)

Failed when using Enclave in Windows Schannel

Huorong_L_ — Mon, 20 Mar 2017 13:12:35 GMT

Hi,

I wrote a simple SSL program using Windows Schannel (just created socket and do SSL handshake). It worked well without loading enclave. However, when the program loaded enclave, it failed at "AcquireCredentialHandle" and never returned. It has troubled me for several days and still not solved.

Does anybody know why and how to solve it?

thx a lot.

-Huorong Li

PS:

Huorong_L_ — Tue, 21 Mar 2017 06:34:26 GMT

PS:

I'm sure that the problem was caused by calling "sgx_create_enclave" in my DLL, and I found an useful info from "Intel SGX SDK Developer Reference for Windows OS v1.7.pdf":

Do not call the sgx_create_enclave function as part of initialization of a
DLL. For instance, sgx_create_enclave hangs when it is called from the
global object constructor of a C++ class in a DLL.

And I've tried put "sgx_create_enclave" in different place in DLL, but all failed. What does "initialization of a DLL" actually mean? Does it mean that we should NOT call "sgx_create_enclave" in a DLL? if not, what is the right way to call "sgx_create_enclave" in a DLL?

Thx,

-Huorong Li

sgx_create_enclave function

Prabu_R_Intel — Tue, 21 Mar 2017 11:22:22 GMT

sgx_create_enclave function can't be called as part of initialization of a application DLL. In a process, we can't a DLL, while another DLL
loading/initialization is in progress. This constrains is applicable to non SGX application also.

We can call "sgx_create_enclave" from other part of application DLL except the DLL initialization code."sgx_create_enclave" is part of
untrusted the library (URts). We can add required untrusted library in the project settings and header file ("sgx_urts.h") in the application
DLL and can call the "sgx_create_enclave" in application DLL.

Quote:Prabu Rajathirumoni

Huorong_L_ — Tue, 21 Mar 2017 12:14:25 GMT

Prabu Rajathirumoni wrote:

sgx_create_enclave function can't be called as part of initialization of a application DLL. In a process, we can't a DLL, while another DLL
loading/initialization is in progress. This constrains is applicable to non SGX application also.

We can call "sgx_create_enclave" from other part of application DLL except the DLL initialization code."sgx_create_enclave" is part of
untrusted the library (URts). We can add required untrusted library in the project settings and header file ("sgx_urts.h") in the application
DLL and can call the "sgx_create_enclave" in application DLL.

Hi Prabu Rajathirumoni,

Thanks for your reply.

However, I'm still not clear what "part of initialization of a application DLL" means. Could you give me an example?. For example, Windows DLL's entry is DLLMain, is it right the "part of initialization of a application DLL", and the code in DLLMain is so-called "DLL initialization code"?

PS: I use Visual Studio 2015 with SGX SDK, and it seems that sgx librares are add to project settings by default.

Please read:

Francisco_C_Intel — Tue, 21 Mar 2017 13:22:42 GMT

Please read:

https://msdn.microsoft.com/en-us/library/windows/desktop/dn633971(v=vs.85).aspx

Basically, if you write a DLL when that DLL gets loaded, its DllMain() method is called automatically. Inside that DllMain(), you cannot load another DLL. The URL above has more details of additional restrictions.

Quote:Francisco C. (Intel)

Huorong_L_ — Tue, 21 Mar 2017 16:08:43 GMT

Francisco C. (Intel) wrote:

Please read:

https://msdn.microsoft.com/en-us/library/windows/desktop/dn633971(v=vs.85).aspx

Basically, if you write a DLL when that DLL gets loaded, its DllMain() method is called automatically. Inside that DllMain(), you cannot load another DLL. The URL above has more details of additional restrictions.

Thanks.

Still, I'm sure that I do NOT call sgx_create_enclave in DllMain. Here's my DllMain function:

BOOL WINAPI DllMain(
   IN CONST HINSTANCE hInstDLL,
   IN CONST DWORD dwReason,
   IN CONST LPVOID lpvReserved
   )
{
   UNREFERENCED_PARAMETER(lpvReserved);

   if (dwReason == DLL_PROCESS_ATTACH)
   {
       srand(time(NULL));
   }
   else if (dwReason == DLL_PROCESS_DETACH)
   {

   }
   return TRUE;
}

However, no mater where I placed sgx_create_enclave to, it always failed and once I commented the code, it success.

I assume that wrapper

Prabu_R_Intel — Wed, 22 Mar 2017 11:32:01 GMT

I assume that wrapper function containing "sgx_create_enclave" is defined in your application DLL.For enclave loading and initialization, this wrapper function is called from Application source.

Please check the below link for loading the enclave through application(C#) dll
https://software.intel.com/en-us/articles/csharp-application-with-intel-software-guard-extension
This writeup is written based on loading an enclave from C# application source by writting managed and unmanaged code (both are dlls).If your application is written in C/C++, then there is no need for managed/unmanaged code.

I do use native C/C++, not C#

Huorong_L_ — Wed, 22 Mar 2017 13:06:04 GMT

I do use native C/C++, not C#, and I'm sure sgx_create_enclave is not called directly or indirectly in DllMain, which is the initialization part of the DLL.

Prabu Rajathirumoni wrote:

I assume that wrapper function containing "sgx_create_enclave" is defined in your application DLL.For enclave loading and initialization, this wrapper function is called from Application source.

Please check the below link for loading the enclave through application(C#) dll
https://software.intel.com/en-us/articles/csharp-application-with-intel-software-guard-extension
This writeup is written based on loading an enclave from C# application source by writting managed and unmanaged code (both are dlls).If your application is written in C/C++, then there is no need for managed/unmanaged code.

Since the above shared write

Prabu_R_Intel — Thu, 23 Mar 2017 19:13:36 GMT

Since the above shared write-up uses the DLL written in C/C++ to call the enclave, I thought it might be useful for your reference.

Could you please share me the "App->DLL->Enclave" communication part of the code , let me try to fix the issue ? . Otherwise I can build a simple Intel SGX application with a light weight application DLL that calls enclave.

Thanks a lot for your help.

Huorong_L_ — Fri, 24 Mar 2017 01:54:31 GMT

Thanks a lot for your help.

My DLL is implemented as a CNG Provider. Basically, It should be used in CNG context i.e. "App->CNG->DLL->Enclave". However, to make the CNG Provider DLL available to App, especially for App using Schannel to do TLS, a lot configuration should be done on OS, including installing kernel mode drivers.

I have done such tests (both "App->DLL->Enclave" and "App->CNG->DLL->Enclave", App not calling AcquireCredentialHandle) with My DLL. Both of them did work. It's almost sure that in AcquireCredentialHandle context, something breaks the sgx_create_enclave "calling rule".

For AcquireCredentialHandle, not useful feedback from Microsoft currently.

PS:

I've partly solved this problem by using following trick:

Create enclave in App main routine, save the handle (enclave id) to a file. The DLL get the handle from the file.

However, it requires that creating enclave MUST be in the same process with the DLL. So it does not apply in Windows native application like IE.