Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Can an Enclave be shared among different processes?

Changzheng_W_Intel
1,982 Views

For example, I create an enclave using sgx_create_enclave() and save the token into a file.

Can another process access the enclave using the same token?

If not, is there any way to share data inside an enclave for different processes?

 

Thanks

0 Kudos
7 Replies
Surenthar_S_Intel
1,982 Views
0 Kudos
Changzheng_W_Intel
1,982 Views

Surenthar Selvaraj. (Intel) wrote:

Hi,

Please look into this link https://software.intel.com/en-us/blogs/2016/05/04/introduction-to-intel-sgx-sealing

-Surenthar

 

So enclave and share data using seal scenario.

Can two different process refer to a same enclave? 

What is the sgx_lauch_token_t used for in sgx_create_enclave() function 

Thanks

0 Kudos
Surenthar_S_Intel
1,982 Views

Hi,

>> What is the sgx_lauch_token_t used for in sgx_create_enclave() function?

A pointer to an sgx_launch_token_t object used to initialize the enclave to be created. Must not be NULL. The caller can provide an all-0 buffer as the sgx_launch_token_t object, in which case, the function will attempt to create a valid sgx_launch_ token_ tobject and store it in the buffer. The caller should store the sgx_launch_token_ t object and re-use it in future calls to create the same enclave. Certain platform configuration changes can invalidate a previously stored sgx_ launch_token_t object. If the token provided is not valid, the function will attempt to update it to a valid one.

0 Kudos
Surenthar_S_Intel
1,982 Views

Hi,

Can an Enclave be shared among different processes?

Not directly.  But there are several approaches that can be considered: 

1) Implement the enclave as a service enclave that can receive requests and serve those requests depending on the API interface define for that enclave.

2) Local attestation - have enclaves establish trust with one another and establish a secure channel for passing information

3) Enclaves signed with the same MRSIGNER can generate a common seal key and share a seal blob to pass data.

-Surenthar

0 Kudos
Rohit_J_1
Beginner
1,982 Views

Hello Surenthar,

Can we are able to send data to/from one enclave to another enclave, when running under the same application (if we don't want to use local attestation)?  Can we use same MRSIGNER for this?

 

Regards,

Rohit

0 Kudos
Surenthar_S_Intel
1,982 Views

Rohit J. wrote:

Hello Surenthar,

Can we are able to send data to/from one enclave to another enclave, when running under the same application (if we don't want to use local attestation)?  Can we use same MRSIGNER for this?

Regards,

Rohit

If both enclaves belong to the same application with same MRSIGNER, they can both derive the same seal key and use that to pass messages around. Enclave1 can encrypt a message with the seal key and store it on disk. Enclave 2 can decrypt the message blob with the same seal key. For this approach you don’t need local attestation with the assumption that you will trust any enclave that have the same MRSIGNER.

0 Kudos
Han__Xi
Beginner
1,982 Views

Selvaraj, Surenthar (Intel) wrote:

1) Implement the enclave as a service enclave that can receive requests and serve those requests depending on the API interface define for that enclave.

What did you mean by "service enclave"? Is it a special kind of enclave or just an enclave launched by a daemon process?

Thanks,

Xi

0 Kudos
Reply