Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Best way to NO SGX mode

X99
New Contributor I
1,534 Views

Hi.

Let's say that a program has a process that can be done within an enclave or not. Some encryption for example.

Is there a way to have a function and decide at runtime if it will execute in an enclave or not?

Thanks in advance.

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,517 Views

Hello X99,


You can implement foo() in a static library and link it to both your enclave and your untrusted app. This way, both the untrusted app or your enclave can call the function and you write the code only once. You can link a static library with your enclave as long as it does not have any dependencies. You can read more about linking with libraries in the SGX Developer Reference for your OS.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

5 Replies
JesusG_Intel
Moderator
1,523 Views

Hello X99,


The untrusted application must decide which code path to take based on the status of SGX on the platform. Fortunately, the SGX SDK provides several functions that help you detect the status of SGX.

 

Navigate to Section Intel® Software Guard Extensions SDK Feature-Detection Functions in Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications for a full explanation of these functions. Scroll down further for code samples.


The functions are:

  • sgx_is_capable()
  • sgx_cap_enable_device()
  • sgx_cap_get_status()
  • sgx_enable_device()


Sincerely,

Jesus G.

Intel Customer Support


X99
New Contributor I
1,520 Views

Off to a great start, thanks!

To be more precise, let's say that I have a function "foo" that does the sensitive processing.

At runtime, let's say that the untrusted app uses one of the functions you mentioned to decide whether it will use an enclave or not.

How can I build my app so that foo can be called either as being part of an enclave or not? Should I duplicate the function to have a copy in an enclave and a copy in a standard, untrusted executable? Or is there a way to avoid such code duplication?

0 Kudos
JesusG_Intel
Moderator
1,518 Views

Hello X99,


You can implement foo() in a static library and link it to both your enclave and your untrusted app. This way, both the untrusted app or your enclave can call the function and you write the code only once. You can link a static library with your enclave as long as it does not have any dependencies. You can read more about linking with libraries in the SGX Developer Reference for your OS.


Sincerely,

Jesus G.

Intel Customer Support


X99
New Contributor I
1,514 Views

That's all the info I was searching for, thanks!

0 Kudos
JesusG_Intel
Moderator
1,501 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply