Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Comprehension question: Usage of sgx_create_enclave

Dix__Isabella
Beginner
368 Views

Hi all,

sorry if this is a stupid question, but I think I am lacking some basic understanding here:

I want to have my app+enclave configured in such a way, that I call sgx_create_enclave once (with provisioning of secrets - currently very basic) and can later access the code without any more attestation directly with each call. 

Basically I'd call
./app init 

once and later
./app <command>
./app <command>

as often as I like, knowing that the dataI give to the enclave can only be used if the attestation was setup correctly and the secret safely enclosed in there. (It's data encrypted with a key and that key is only inside the enclave if attestation was performed successfully) Therefore I do not need to perform the attestation every time. Correct?
However, I now changed my code in some way representing this though

 

int SGX_CDECL main(int argc, char *argv[])
{
    if (argc < 2)
    {
        printf("No command was given, successfully finished doing nothing.\n");
        return 0;
    }

    char *cmd = argv[1];

    if (0 == strcmp(cmd, "init"))
    {
        return init_enclave();
    }

    else if (0 == strcmp(cmd, "destroy"))
    {
        return destroy_enclave();
    }

    else if (0 == strcmp(cmd, "agg"))
    {
    <actual logic>
    }

    else
    {
        printf("Unknown command!\n");
        return -1;
    }
}

int init_enclave()
{
    // calls sgx_create_enclave (copied from SampleCode/SampleEnclave)
    if (initialize_enclave() < 0)
    {
        printf("Error occured, enter a character before exit ...\n");
        getchar();
        return -1;
    }
    
    // Key provisioning (later done via attestation)
    char priv_key[] = <hardcoded_key>;
    ecall_set_key(global_eid, &priv_key[0], sizeof(priv_key));
    printf("Successfully provisioned key to enclave.\n");

    return 0;
}

 

but when calling ./app init and then ./app command nothing happens for the command. Is this not intended behaviour? Should I be doing attestation for every call to my actual logic and/or should I create and destroy the enclave for every call? That seems overly complicated, but I might be confused.

0 Kudos
3 Replies
JesusG_Intel
Moderator
368 Views

Hello Isabella,

You have to load the enclave into memory each time your App runs. It seems that your code is returning and exiting after you init. When your code exits, the enclave does not stay in memory. Each time your run a command using ./app command, you have to init the enclave before running your command.

Does that make sense?

Regards,

Jesus

0 Kudos
Dix__Isabella
Beginner
368 Views

Hello Jesus,

Thanks for your answer, I think I partially understood. This loading into memory has to be done manually? Is there an example (like this SamplePowerTransitionApp)? 

Meaning that I have to call sgx_create_enclave every time, but I can provision the key one time (during attestation), then seal it and reuse it later and not do attestation again?

Regards,

Isabella

0 Kudos
JesusG_Intel
Moderator
368 Views

Hello Isabella, the answer to your question: "Meaning that I have to call sgx_create_enclave every time, but I can provision the key one time (during attestation), then seal it and reuse it later and not do attestation again?" is YES. You understand it perfectly. 

Regards,

Jesus

0 Kudos
Reply