Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Communication between enclaves

double
Novice
587 Views

Hello!

I want to communication between different enclaves. But I don't know how to do it. I have 3 problems to solve.

1. There are two enclaves: Enclave A and Enclave B. I want to let A transfer some data to B, but I don't know how to do it.

2. And if A and B are in different devices, what should I do.

3. I want to implement in my project the Intel SGX remote attestation mecanisme. this mecanisme requires the Service Provider and a IAS server. My problem is: what is exactly a Service Provider, is it an ordinary server in which we install an API or something else. How to configure this SP in order to implement remote attestation mecanisme.

Thank you for your help.

0 Kudos
1 Solution
Sahira_Intel
Moderator
576 Views

Hi,

 

Before collaborating, one enclave will have to authenticate the other locally using SGX report mechanism to verify it is running on the same TCB platform (local attestation). This will create a protected channel between the two local enclaves. Note that two enclaves can never communicate directly to each other, it is always done through the application. See Figure 9 for a diagram of how two enclaves communicate with each other through an application. It is also possible for two enclaves that exist on separate machines to transfer data between each other, but it is not as simple as when they are on one machine. A third party server, like a service provider, will be needed to create secure channels between the enclaves. For more information on local attestation, check out the SGX Developer Reference Guide. 

You would use a regular service provider but when setting up remote attestation, the client asks the SP to provision secrets. It is a specific API endpoint that the SP implements for making such a request. The SP responds to the request by issuing a challenge requesting the client to attest itself. This document explains more about the communication sequence between client/server during remote attestation. 

Hope this information was helpful

Sincerely,

Sahira

View solution in original post

3 Replies
Sahira_Intel
Moderator
577 Views

Hi,

 

Before collaborating, one enclave will have to authenticate the other locally using SGX report mechanism to verify it is running on the same TCB platform (local attestation). This will create a protected channel between the two local enclaves. Note that two enclaves can never communicate directly to each other, it is always done through the application. See Figure 9 for a diagram of how two enclaves communicate with each other through an application. It is also possible for two enclaves that exist on separate machines to transfer data between each other, but it is not as simple as when they are on one machine. A third party server, like a service provider, will be needed to create secure channels between the enclaves. For more information on local attestation, check out the SGX Developer Reference Guide. 

You would use a regular service provider but when setting up remote attestation, the client asks the SP to provision secrets. It is a specific API endpoint that the SP implements for making such a request. The SP responds to the request by issuing a challenge requesting the client to attest itself. This document explains more about the communication sequence between client/server during remote attestation. 

Hope this information was helpful

Sincerely,

Sahira

double
Novice
571 Views

Thank you for your reply.

I learned a lot of useful things, I plan to study the documentation you provided me by myself.

Thank you very much!

Sincerely,

Double

double
Novice
493 Views

Hi,

After a period of study, I know that the SP can know if the client is reliable through IAS. But, I don't understand how the client can determine that the SP is a reliable service provider, not a malicious service provider.

Thanks a lot.

Sincerely,

Double

Reply