topic cryptsetup is open source. So in Intel® Software Guard Extensions (Intel® SGX)

Can we execute linux commands inside enclave

Rajendra_K_ — Wed, 01 Feb 2017 08:50:37 GMT

Hi,

Can we execute various Linux commands inside SGX enclave like below:

cryptsetup

and so on.

How to do file IO inside enclave?

Thanks,

Rajendra

Hi,

Surenthar_S_Intel — Thu, 02 Feb 2017 09:39:23 GMT

Hi,

The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf

For doing File IO inside enclave, you can use OCALLS . You need to add trusted and untrusted headers in edl file .

For ex:

enclave {
   include "sgx_stdio_stubs.h" //for FILE and other definitions
   trusted {
       public void test_file_io(void);
   };
   untrusted {
FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
int fclose([user_check] FILE * stream) propagate_errno;
size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
   };
};

-Surenthar

Hi,

Rajendra_K_ — Thu, 02 Feb 2017 11:53:56 GMT

Hi,

Thanks for your reply. I understood the File IO.

Can we run linux commands inside enclave like ln, find, grep and so on?

Thanks,

Rajendra

Hi, Rajendra.

Rodolfo_S_ — Thu, 02 Feb 2017 13:06:52 GMT

Hi, Rajendra.

You can't execute any system calls or I/O operations inside an enclave, therefore you can't execute the abovementioned commands inside an enclave. The workaround is, as pointed by Surenthar, to use OCALLs.

Best regards,

Rodolfo

Hi,

Rajendra_K_ — Thu, 02 Feb 2017 13:26:58 GMT

Hi,

In my case, I would be getting key from key manager and I have to pass this key to cryptsetup command to encrypt the volume inside the enclave.

If I can't run the cryptsetup command inside the enclave then I have to send plain key to OCALL function to encrypt the volume using cryptsetup command outside the enclave.

Then what is the use of enclave in this particular case?

Thanks,

Rajendra

If you really need to use

Rodolfo_S_ — Thu, 02 Feb 2017 13:44:42 GMT

If you really need to use cryptsetup, I'm afraid an enclave won't be very useful.

To the best of my knowledge, there are still no similar programs that make use of SGX to achieve this goal.

One alternative would be to develop "your own cryptsetup" which makes use of the sgx_seal_data and sgx_unseal_data functions.

Rodolfo

Hi Rodolfo,

Rajendra_K_ — Thu, 02 Feb 2017 13:49:23 GMT

Hi Rodolfo,

Thanks for quick reply.

Even I also thinking of the same solution that you have suggested.

As anyway, we have to use cryptsetup command for volume encryption.

Thanks,

Rajendra

cryptsetup is open source. So

Matthias_H_Intel — Fri, 03 Feb 2017 11:04:35 GMT

cryptsetup is open source. So you may extend it and potentially upstream it. E.G.:

- check whether system supports SGX

- if SGX is supported: send password to enclave and run all encrypt&decrypt operations within enclave

Not sure whether you'd want/need sealing.

Hi,

Rajendra_K_ — Fri, 03 Feb 2017 12:07:16 GMT

Hi, Even though we implement cryptsetup inside the enclave we have to make OS calls to dm-crypt kernal module . So again SGX does not support OS calls. So in my view either implement dm-crypt and cryptsetup inside enclave or else we can't use SGX in this case. Please suggest. Thanks, Rajendra

Hi Surenthar,

Elephant — Tue, 25 Jul 2017 04:25:58 GMT

Hi Surenthar,

Is there a real sgx_stdio_stubs.h file in the SDK? Is it just mentioned in the Developer Reference as an example for propagating errno? Do we need to CREATE our own OCALLs to call the FILE IO operations?

Thanks.

Kind Regards,

Elephant

Selvaraj, Surenthar (Intel) wrote:

Hi,

The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf

For doing File IO inside enclave, you can use OCALLS . You need to add trusted and untrusted headers in edl file .

For ex:

enclave {
   include "sgx_stdio_stubs.h" //for FILE and other definitions
   trusted {
       public void test_file_io(void);
   };
   untrusted {
FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
int fclose([user_check] FILE * stream) propagate_errno;
size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
   };
};

-Surenthar

Hi:

you_w_ — Tue, 25 Jul 2017 06:45:51 GMT

Hi:

As I know, there isn't a IntelProtectedFileSystem on linux. On linux you need to create Ocall functions to do such operation. And the mentioned header file is some struct and typedefs which you need to write by yourself.

Regards

you

Hi You,

Elephant — Tue, 25 Jul 2017 06:51:04 GMT

Hi You,

Thanks for this information. I will take note.

Kind Regards,

Elephant