How to access the non-EPC part of memory directly from inside the enclave. Let us assume that there is a global variable that is defined in the application. Now, from inside the enclave which has been created by the application this variable needs to be accessed. Since this variable is not sensitive, I want to access it directly without paying the OCALL overhead. Is this possible? how?
I appreciate your help.
- General Support
Remember that enclaves do not trust host software or the applications that call it. The enclave has no knowledge of global variables in the host application. The host application can pass data to the enclave via the parameters in the ECALL.
Thanks for your comment. I appreciate your quick reply.
Then how we can distinguish between sensitive data and non-sensitive data that we want to pass to the enclave. For example, if I have an Ecall like
f([in,out, count=len]*buffer, int len), the buffer will be copied into EPC and it would be considered as a sensitive data, integrity verification and confidentiality supported. How to pass this buffer to the enclave if I do not want to move it into EPC and I do not want to pay for any security primitives?
thanks for your help.
I think you have already found the user_check attribute, which is how to pass buffers without copying them into the EPC. However, if you do pass buffers to enclaves without performing any checks yourself you are putting your software at risk since that buffer can be changed by a malicious application without the enclave's knowledge. This is why enclaves do not trust host software.