Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Build the architecture enclaves from source code

yunfeng7854
New Contributor I
630 Views

I tried two ways to build the pre-built binaries by myself. I am working on the 1.9 version with gcc-5.4.0 on Ubuntu 16.04.4.

  1. Use make USE_OPT_LIBS=0 to use the non-optimized source code version implementation, as stated in the README.md. Then make sdk_install_pkg USE_OPT_LIBS=0 succeeds, make psw_install_pkg USE_OPT_LIBS=0 fails. It still looks for the pre-built binaries in the folder psw/ae/data/prebuilt.
  2. Build each Architecture Enclave by using the make command from the corresponding folder, e.g. in the psw/ae/qe folder. There turns out to be some compiling errors or link errors.

I am trying to understand how the quoting enclave works. Is the pre-built libsgx_qe.signed.so compiled from the provided sources? Is it all right to refer to the implementation in the qe folder?

Any help is appreciated. Thanks

Wenhao

 

0 Kudos
3 Replies
Shivananda_H_Intel
630 Views

All prebuilt AE's are built with optimized libraries.

The build command USE_OPT_LIBS=0 make psw_install_pkg  succeeds .

Can you check if  your default build configuration work fine ?

-Regards

Shivananda

0 Kudos
yunfeng7854
New Contributor I
630 Views

The default compiling option `make psw_install_pkg` works fine. I'd like to understand the design of the prebuilt libsgx_qe.signed.so. Can I look into the source code of `psw/ae/qe/`? I assume the source code and the prebuilt binaries are following the same routine to generate the quote. Thanks.

Wenhao

0 Kudos
Fatima_A_
Beginner
630 Views

What I am trying to do is something similar but for PSE (Platform Service Enclave). I have made changes to the pse code under (/psw/ae/pse/pse_op) and it is being compiled. I used the option USE_OPT_LIBS=0 to compile the source, and after solving various errors, I am able to successfully compile sdk and psw code (also the code which I have changed in pse_op eventually generating "pse_op.so" file), and then install the binaries in the proper folders. I have verified that the proper folders have my compiled "pse_op.so" instead of intel provided "libsgx_pse_op.signed.so" prebuilt files.

Now when I try running a simple "sgx_create_pse_session()" from an enclave, it fails with the error code "0x4001" which corresponds to "SGX_ERROR_SERVICE_UNAVAILABLE" and the comments say "Indicates aesm didn't respond or the requested service is not supported" according to the "sgx_error.h" file. Since creating a PSE session with the PSE enclave is supported, I feel like the problem is that aesm service is not responding. What I believe is that the pse_op enclave source code which I built into an enclave file (pse_op.so) is not signed by Intel keys, the aesm service is rejecting it. Kindly, correct me if my analysis is incorrect. Also, is there a way through which I can disable the feature in aesm which looks for the Intel signed enclave? Or I can sign the enclave with a new key and make aesm accept that?

I really need an answer to it because I need to implement a new service in PSE for my own development and testing purpose. Would appreciate help from Intel folks.

0 Kudos
Reply