topic Hello Surenthar, in Intel® Software Guard Extensions (Intel® SGX)

Can an Enclave be shared among different processes?

Changzheng_W_Intel — Tue, 27 Sep 2016 11:34:32 GMT

For example, I create an enclave using sgx_create_enclave() and save the token into a file.

Can another process access the enclave using the same token?

If not, is there any way to share data inside an enclave for different processes?

Thanks

Hi,

Surenthar_S_Intel — Tue, 27 Sep 2016 11:49:57 GMT

Hi,

Please look into this link https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing

-Surenthar

Quote:Surenthar Selvaraj.

Changzheng_W_Intel — Tue, 27 Sep 2016 13:29:00 GMT

Surenthar Selvaraj. (Intel) wrote:

Hi,

Please look into this link https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing

-Surenthar

So enclave and share data using seal scenario.

Can two different process refer to a same enclave?

What is the sgx_lauch_token_t used for in sgx_create_enclave() function

Thanks

Hi,

Surenthar_S_Intel — Wed, 28 Sep 2016 04:59:16 GMT

Hi,

>> What is the sgx_lauch_token_t used for in sgx_create_enclave() function?

A pointer to an sgx_launch_token_t object used to initialize the enclave to be created. Must not be NULL. The caller can provide an all-0 buffer as the sgx_launch_token_t object, in which case, the function will attempt to create a valid sgx_launch_ token_ tobject and store it in the buffer. The caller should store the sgx_launch_token_ t object and re-use it in future calls to create the same enclave. Certain platform configuration changes can invalidate a previously stored sgx_ launch_token_t object. If the token provided is not valid, the function will attempt to update it to a valid one.

Hi,

Surenthar_S_Intel — Wed, 28 Sep 2016 13:41:51 GMT

Hi,

Can an Enclave be shared among different processes?

Not directly. But there are several approaches that can be considered:

1) Implement the enclave as a service enclave that can receive requests and serve those requests depending on the API interface define for that enclave.

2) Local attestation - have enclaves establish trust with one another and establish a secure channel for passing information

3) Enclaves signed with the same MRSIGNER can generate a common seal key and share a seal blob to pass data.

-Surenthar

Hello Surenthar,

Rohit_J_1 — Fri, 21 Oct 2016 07:10:00 GMT

Hello Surenthar,

Can we are able to send data to/from one enclave to another enclave, when running under the same application (if we don't want to use local attestation)? Can we use same MRSIGNER for this?

Regards,

Rohit

Quote:Rohit J. wrote:

Surenthar_S_Intel — Mon, 24 Oct 2016 04:00:59 GMT

Rohit J. wrote:

Hello Surenthar,

Can we are able to send data to/from one enclave to another enclave, when running under the same application (if we don't want to use local attestation)? Can we use same MRSIGNER for this?

Regards,

Rohit

If both enclaves belong to the same application with same MRSIGNER, they can both derive the same seal key and use that to pass messages around. Enclave1 can encrypt a message with the seal key and store it on disk. Enclave 2 can decrypt the message blob with the same seal key. For this approach you don’t need local attestation with the assumption that you will trust any enclave that have the same MRSIGNER.

Quote:Selvaraj, Surenthar

Han__Xi — Wed, 22 Nov 2017 23:28:31 GMT

Selvaraj, Surenthar (Intel) wrote:

1) Implement the enclave as a service enclave that can receive requests and serve those requests depending on the API interface define for that enclave.

What did you mean by "service enclave"? Is it a special kind of enclave or just an enclave launched by a daemon process?

Thanks,