Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Allocate executable memory

Rodolfo_S_
New Contributor III
1,560 Views

Hi, everyone.

Is it possible to allocate executable memory inside an enclave during run time (e.g.: using mmap)?

Thanks,

Rodolfo

0 Kudos
1 Solution
Francisco_C_Intel
1,560 Views

I think the short answer is no.

More details regarding a similar question (loader program in an enclave) are here:

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/624878

If you are using Linux, then similar considerations apply to ELF .so files (instead of PE .dll files).

View solution in original post

0 Kudos
6 Replies
Rodolfo_S_
New Contributor III
1,560 Views

Hi, Surenthar.

That query actually doesn't answer my question. I should have stressed the word "executable" in my question. I do know that an enclave can allocate memory using malloc, but my question is more specific. My question is: can I use the allocated memory to store executable code, and, furthermore, can I execute that code inside the enclave (no OCALLS/syscalls involved)?

Thanks,

Rodolfo

0 Kudos
Francisco_C_Intel
1,561 Views

I think the short answer is no.

More details regarding a similar question (loader program in an enclave) are here:

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/624878

If you are using Linux, then similar considerations apply to ELF .so files (instead of PE .dll files).

0 Kudos
Rodolfo_S_
New Contributor III
1,560 Views

Hi, Francisco.

Thanks for pointing this to me. That was precisely the information that I was seeking. I guess I'll just have to wait for SGX2 to be released or find a way to configure my pages to have RWX permission by default.

Thanks.

0 Kudos
Shredha_K_
Novice
1,560 Views

Rodolfo S. wrote:

Hi, Francisco.

Thanks for pointing this to me. That was precisely the information that I was seeking. I guess I'll just have to wait for SGX2 to be released or find a way to configure my pages to have RWX permission by default.

Thanks.

Hi all,

Is there any possible way to configure the EPC pages with RWX permission in SGX1. 

Thanks :)

 

 

0 Kudos
Surenthar_S_Intel
1,560 Views

Hi,

With SGX1 you cannot modify the permissions of an EPC page after it has been EADD'ed.  Using the Intel(R) SGX SDK, the section in the .dll enclave file must be loaded with RWX permission in order to be both writable and executable. 

Note: Using RWX sections and dynamically loading code into an enclave may create security vulnerabilities.  It should be done with caution.  Section 10 of the Intel(R) SGX Enclave Writer's Guide touches on some of the concerns.

-Surenthar

0 Kudos
Reply