- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Several projects like EdgelessRT's Ego and mysticos use OpenEnclave's `oe_add_vectored_exception_handler` to add a callback (*). This callback filters the exception by the CPUID opcall and then make an ocall to fwd that to the host.
For instance, I am using a dependency in the enclave that will depend on https://github.com/minio/sha256-simd - so as I understand the cpuid calls are to check if CPU is capable of these optimizations.
So this generated more doubts in me.
If we pass that to the host, and the host is able to show the CPU is capable of everything, will the code inside the enclave be able to take advantage of that? Or, is there a possibility that the CPU is capable, but the SGX enclave is "locking" those resources, so they are unusable?
Thanks for the support
(*) example
https://github.com/edgelesssys/ego/blob/master/src/exception_handler.cpp#L19
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Josebraga,
"The CPUID instruction is also illegal inside the enclave. Thus software that retrieves CPUID information must do so outside the enclave. Therefore, this information cannot be assured from a security viewpoint and should be used carefully.
An enclave writer may write a custom untrusted function for gathering host system state, which may include CPUID values, system environment variables, and additional application attributes.
The results from a specific CPUID leaf could then be preserved inside the enclave (via a specific ECall) to avoid the overhead associated with performing an OCall to execute the CPUID instruction outside an enclave.
The key point is that this information is gathered in the untrusted domain and thus the application enclave should design and validate for the scenario in which unexpected or inconsistent data is provided. "
For more information, refer https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Developer_Guide.pdf page 35
For more exception handling in SGX, refer https://cdrdv2-public.intel.com/671544/exception-handling-in-intel-sgx.pdf
Regards,
Wan
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Josebraga,
Thanks for reaching out to us.
Let me check with relevant team and I'll update here at the earliest.
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Josebraga,
"The CPUID instruction is also illegal inside the enclave. Thus software that retrieves CPUID information must do so outside the enclave. Therefore, this information cannot be assured from a security viewpoint and should be used carefully.
An enclave writer may write a custom untrusted function for gathering host system state, which may include CPUID values, system environment variables, and additional application attributes.
The results from a specific CPUID leaf could then be preserved inside the enclave (via a specific ECall) to avoid the overhead associated with performing an OCall to execute the CPUID instruction outside an enclave.
The key point is that this information is gathered in the untrusted domain and thus the application enclave should design and validate for the scenario in which unexpected or inconsistent data is provided. "
For more information, refer https://download.01.org/intel-sgx/sgx-linux/2.11/docs/Intel_SGX_Developer_Guide.pdf page 35
For more exception handling in SGX, refer https://cdrdv2-public.intel.com/671544/exception-handling-in-intel-sgx.pdf
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Josebraga,
Thanks for your question.
If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.
Regards,
Wan

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page