Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Can we execute linux commands inside enclave

Rajendra_K_
Beginner
1,658 Views

Hi,

Can we execute various Linux commands inside SGX enclave like below:

cryptsetup

ln

and so on.

How to do file IO inside enclave?

Thanks,

Rajendra

0 Kudos
1 Solution
Surenthar_S_Intel
1,658 Views

Hi,

The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf

For doing File IO inside enclave, you can use OCALLS .  You need to add trusted and untrusted headers in edl file .

For ex:

enclave {
    include "sgx_stdio_stubs.h" //for FILE and other definitions
    trusted {
            public void test_file_io(void);
    };
    untrusted {
            FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
            int fclose([user_check] FILE * stream) propagate_errno;
           size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
        };
};

-Surenthar

View solution in original post

0 Kudos
11 Replies
Surenthar_S_Intel
1,659 Views

Hi,

The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf

For doing File IO inside enclave, you can use OCALLS .  You need to add trusted and untrusted headers in edl file .

For ex:

enclave {
    include "sgx_stdio_stubs.h" //for FILE and other definitions
    trusted {
            public void test_file_io(void);
    };
    untrusted {
            FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
            int fclose([user_check] FILE * stream) propagate_errno;
           size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
        };
};

-Surenthar

0 Kudos
Rajendra_K_
Beginner
1,658 Views

Hi,

Thanks for your reply. I understood the File IO.

Can we run linux commands inside enclave like ln, find, grep and so on?

Thanks,

Rajendra

0 Kudos
Rodolfo_S_
New Contributor III
1,658 Views

Hi, Rajendra.

You can't execute any system calls or I/O operations inside an enclave, therefore you can't execute the abovementioned commands inside an enclave. The workaround is, as pointed by Surenthar, to use OCALLs.

Best regards,

Rodolfo

0 Kudos
Rajendra_K_
Beginner
1,658 Views

Hi,

In my case, I would be getting key from key manager and I have to pass this key to cryptsetup command to encrypt the volume inside the enclave.

If I can't run the cryptsetup command inside the enclave then I have to send plain key to OCALL function to encrypt the volume using cryptsetup command outside the enclave.

Then what is the use of enclave in this particular case?

Thanks,

Rajendra 

0 Kudos
Rodolfo_S_
New Contributor III
1,658 Views

If you really need to use cryptsetup, I'm afraid an enclave won't be very useful.

To the best of my knowledge, there are still no similar programs that make use of SGX to achieve this goal.

One alternative would be to develop "your own cryptsetup" which makes use of the sgx_seal_data and sgx_unseal_data functions.

Rodolfo

0 Kudos
Rajendra_K_
Beginner
1,658 Views

Hi Rodolfo,

Thanks for quick reply.

Even I also thinking of the same solution that you have suggested.

As anyway, we have to use cryptsetup command for volume encryption.

Thanks,

Rajendra

0 Kudos
Matthias_H_Intel
Employee
1,658 Views

cryptsetup is open source. So you may extend it and potentially upstream it. E.G.:

- check whether system supports SGX

- if SGX is supported: send password to enclave and run all encrypt&decrypt operations within enclave 

Not sure whether you'd want/need sealing. 

0 Kudos
Rajendra_K_
Beginner
1,658 Views
Hi, Even though we implement cryptsetup inside the enclave we have to make OS calls to dm-crypt kernal module . So again SGX does not support OS calls. So in my view either implement dm-crypt and cryptsetup inside enclave or else we can't use SGX in this case. Please suggest. Thanks, Rajendra
0 Kudos
Elephant
Beginner
1,658 Views

Hi Surenthar,

Is there a real sgx_stdio_stubs.h file in the SDK?  Is it just mentioned in the Developer Reference as an example for propagating errno?  Do we need to CREATE our own OCALLs to call the FILE IO operations?

Thanks.

Kind Regards,

Elephant

Selvaraj, Surenthar (Intel) wrote:

Hi,

The Intel SGX SDK includes trusted cryptography library named sgx_tcrypto. You can refer it for the functions implemented in that library. You can check the supported functions and Un Supported standard functions here:(Page 92) :https://download.01.org/intel-sgx/linux-1.7/docs/Intel_SGX_SDK_Developer_Reference_Linux_1.7_Open_Source.pdf

For doing File IO inside enclave, you can use OCALLS .  You need to add trusted and untrusted headers in edl file .

For ex:

enclave {
    include "sgx_stdio_stubs.h" //for FILE and other definitions
    trusted {
            public void test_file_io(void);
    };
    untrusted {
            FILE * fopen([in,string] const char * filename, [in,string] const char * mode) propagate_errno;
            int fclose([user_check] FILE * stream) propagate_errno;
           size_t fwrite([in, size=size, count=count] const void * buf-fer,size_t size,size_t count, [user_check]FILE * stream) propagate_errno;
        };
};

-Surenthar

0 Kudos
you_w_
New Contributor III
1,658 Views

Hi:

As I know, there isn't a IntelProtectedFileSystem on linux. On linux you need to create Ocall functions to do such operation. And the mentioned header file is some struct and typedefs which you need to write by yourself.

Regards

you

0 Kudos
Elephant
Beginner
1,658 Views

Hi You,

Thanks for this information.  I will take note.  

Kind Regards,

Elephant

0 Kudos
Reply