- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we execute various Linux commands inside SGX enclave like below:
cryptsetup
ln
and so on.
How to do file IO inside enclave?
Thanks,
Rajendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf
For doing File IO inside enclave, you can use OCALLS . You need to add trusted and untrusted headers in edl file .
For ex:
enclave {
include "sgx_stdio_stubs.h" //for FILE and other definitions
trusted {
public void test_file_io(void);
};
untrusted {
FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
int fclose([user_check] FILE * stream) propagate_errno;
size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
};
};
-Surenthar
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf
For doing File IO inside enclave, you can use OCALLS . You need to add trusted and untrusted headers in edl file .
For ex:
enclave {
include "sgx_stdio_stubs.h" //for FILE and other definitions
trusted {
public void test_file_io(void);
};
untrusted {
FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
int fclose([user_check] FILE * stream) propagate_errno;
size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
};
};
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply. I understood the File IO.
Can we run linux commands inside enclave like ln, find, grep and so on?
Thanks,
Rajendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Rajendra.
You can't execute any system calls or I/O operations inside an enclave, therefore you can't execute the abovementioned commands inside an enclave. The workaround is, as pointed by Surenthar, to use OCALLs.
Best regards,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In my case, I would be getting key from key manager and I have to pass this key to cryptsetup command to encrypt the volume inside the enclave.
If I can't run the cryptsetup command inside the enclave then I have to send plain key to OCALL function to encrypt the volume using cryptsetup command outside the enclave.
Then what is the use of enclave in this particular case?
Thanks,
Rajendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you really need to use cryptsetup, I'm afraid an enclave won't be very useful.
To the best of my knowledge, there are still no similar programs that make use of SGX to achieve this goal.
One alternative would be to develop "your own cryptsetup" which makes use of the sgx_seal_data and sgx_unseal_data functions.
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rodolfo,
Thanks for quick reply.
Even I also thinking of the same solution that you have suggested.
As anyway, we have to use cryptsetup command for volume encryption.
Thanks,
Rajendra
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cryptsetup is open source. So you may extend it and potentially upstream it. E.G.:
- check whether system supports SGX
- if SGX is supported: send password to enclave and run all encrypt&decrypt operations within enclave
Not sure whether you'd want/need sealing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
Is there a real sgx_stdio_stubs.h file in the SDK? Is it just mentioned in the Developer Reference as an example for propagating errno? Do we need to CREATE our own OCALLs to call the FILE IO operations?
Thanks.
Kind Regards,
Elephant
Selvaraj, Surenthar (Intel) wrote:
Hi,
The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf
For doing File IO inside enclave, you can use OCALLS . You need to add trusted and untrusted headers in edl file .
For ex:
enclave {
include "sgx_stdio_stubs.h" //for FILE and other definitions
trusted {
public void test_file_io(void);
};
untrusted {
FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
int fclose([user_check] FILE * stream) propagate_errno;
size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
};
};-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
As I know, there isn't a IntelProtectedFileSystem on linux. On linux you need to create Ocall functions to do such operation. And the mentioned header file is some struct and typedefs which you need to write by yourself.
Regards
you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi You,
Thanks for this information. I will take note.
Kind Regards,
Elephant
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page