Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

AES-128 inside an enclave using USER_CHECK

bianca
Beginner
1,301 Views

Hi, in Impression of Intel SGX Performance the authors generate some benchmarks to analyse the performance of a program encrypting data inside the enclaves using AES-128. They say that both the in buffer and the out buffer are declared using 'USER_CHECK'. But how can you do that? I have a program that does the same thing, but I declare my parameters using [in, out]. When I try to switch to 'USER_CHECK', the enclave in buffer is empty after calling the function. How do you copy an 'USER_CHECK' pointer memory to the enclave and back to the untrusted memory?

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,292 Views

Hello Bianca,

 

The sample solution that is attached to the bottom of this article, https://software.intel.com/content/www/us/en/develop/articles/intel-software-guard-extensions-tutorial-part-7-refining-the-enclave.html, has several functions that are declared with [user_check] in the EDL. Check the EDL file in the Enclave project. You will find the user_check functions in Enclave.cpp.

The article also explains how it uses the user_check parameter.

 

View solution in original post

0 Kudos
6 Replies
JesusG_Intel
Moderator
1,293 Views

Hello Bianca,

 

The sample solution that is attached to the bottom of this article, https://software.intel.com/content/www/us/en/develop/articles/intel-software-guard-extensions-tutorial-part-7-refining-the-enclave.html, has several functions that are declared with [user_check] in the EDL. Check the EDL file in the Enclave project. You will find the user_check functions in Enclave.cpp.

The article also explains how it uses the user_check parameter.

 

0 Kudos
JesusG_Intel
Moderator
1,268 Views

Hi Bianca,


Was the sample code I sent you earlier helpful to you?


0 Kudos
bianca
Beginner
1,256 Views

Hi Jesus,

 

I believe it did in the sense that it is working, but I am still confused about the performance. Because when I change the data in buffer pointer from [in, out] to [user_check] and copy this plain text data to the enclave, it takes 3 times longer to perform the overall computation. My buffer in pointer is [user_check] flagged and the buffer out is [in, out] as from my understanding the enclave environment cannot read the enclave content, it must be crossed through the proxy bridge.

In the developer reference, it says it should be the other way around, but there is a massive difference between my benchmarks (100-150 MB/sec) vs the one from the link that I sent (1000-2000 MB/sec).

 

0 Kudos
JesusG_Intel
Moderator
1,248 Views

Hello Bianca,


In both the Intel code sample and the paper, the authors used [user_check] for both the input and output buffers in the ECALL. See this excerpt from the Intel article:


The original EDL for ve_load_vault() and ve_get_vault() looks like this:

public int ve_load_vault ([in, count=len] unsigned char *edata, uint32_t len);


public int ve_get_vault ([out, count=len] unsigned char *edata, uint32_t len);


Rewriting these to specify user_check results in the following:


public int ve_load_vault ([user_check] unsigned char *edata);


public int ve_get_vault ([user_check] unsigned char *edata, uint32_t len);



0 Kudos
JesusG_Intel
Moderator
1,232 Views

Hi Bianca,


Do you still need help with this issue?


0 Kudos
JesusG_Intel
Moderator
1,223 Views

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply