Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Data is not encrypted in Enclave

tae_un_k_
Beginner
759 Views

Hello, I'm Tae Un Kang.

 

I save data in Enclave. But, data is shown by Cheating Tool(Ex. CheatEngine)

 

I think data is not encrypted.

 

If I want to encrypt data in enclave, I have to use Release mode?

(I tested Pre-release mode)

 

Can I use release mode in free?(Ex. Research purpose or education license) 

 

 

0 Kudos
3 Replies
Shivananda_H_Intel
759 Views

Enclave Signing Key Management:
2-step method using an external signing tool:
First step: At the end of the enclave build process, the signing tool generates the enclave signing material. The ISV takes the enclave signing material file to an external signing platform/facility where the private key is stored, signs the signing material file, and takes the resulting signature file back to the build platform.

Second step: The ISV runs the signing tool with the catsig command providing the necessary information at the command line to add the hash of the public key and signature to the enclave’s metadata section.

The 2-step signing process protects the signing key in a separate facility. Thus it is the default signing method for the Intel SGX project release profile. This means it is the only method for signing production enclave applications.

Enclave Signing Example:
Two-step signing process:
Signing an enclave using a private key stored in an HSM, for instance:
1. Generate the enclave signing material.
sgx_sign gendata -enclave enclave.so -config config.xml -out enclave_hash.hex

2. At the signing facility, sign the file containing the enclave signing material (enclave_hash.hex) and take the resulting signature file (signature.hex) back to the build platform.

3. Sign the enclave using the signature file and public key.
sgx_sign catsig -enclave enclave.so -config config.xml -out enclave_signed.so -key public.pem -sig signature.hex -unsigned enclave_hash.hex

Currently the evaluation SDK allows the developer to create and run enclaves using the Debug and Pre-release profiles. Enclaves compiled under the Release profile will not work until the developer completes the production licensing process. If you would like to deliver a production-quality application using SGX, please contact the SGX Program<sgx_program@intel.com> for more information about a production license.

For more info , please refer to this thread.

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/681473

 

Regards

Shivananda

0 Kudos
Rodolfo_S_
New Contributor III
759 Views

Hi,

there is no education license for enclave development. On the other hand, the SGX commercial license is free of charge. You just have to follow the steps pointed out by Shivananda.

Could you please clarify how did you save data in the enclave?

Best regards,
Rodolfo

0 Kudos
tae_un_k_
Beginner
759 Views

Hi, 

I compiled pre-release mode. and I generate enclave.cpp in enclave area.

I checked not encrypted data in memory by using cheat-engine(memory manipulation tool)

[enclave.cpp]

**************************************

void enclaveInFunction(char *buf, size_t len)
{
   if (len <= (size_t)MAX_BUF_LEN) {
   memcpy(enclaveString, buf, strlen(buf) + 1);
   printf("enclaveString addr: %p\n", enclaveString);
   printf("Enclave.cpp/buf: %p\n", buf);
   }
   while(1);
}

**************************************

I have a question. I followed Shivananda's comment.

I completed signing enclave.

But I get a error_code[sgx_status_t value(0x4004)] in running application.

0x4004 means Enclave has no privilege to get launch token.

Is it a problem because there is no Commercial License?

 

Best regards,

Tae Un

0 Kudos
Reply