Hello, for the application that I am building, I need to ensure that only one instance of my enclave is running on the platform. Is there any way to do this? I have tried some hacky solutions such as creating 256 counters (the maximum allowed) at enclave initialization so that the second instance will error out when it tries to create its own counters. However, this solution is both slow and not crash-resilient. Is there any way to check whether instances of the same enclave are already running? If not, are there plans to introduce this in SGX2? I would imagine that this should be simple enough to implement in th platform software since it would just be a scan of all SECS pages to return a count of identical measurements.
Our platform software does not have this feature.
There are hacky solutions like the one you describe (DoS on the system to prevent others from creating any enclaves, assuming you can get there first). If you are on Linux and you also control the install on all the machines you want to run this singleton enclave (for example, your enterprise), you could modify the platform sw code and add this feature before building and deploying it.
Suppose this feature did exist, how would you guarantee that *your* application loads the enclave first? Wouldn't you also want that feature?
I should have made my attacker model clearer. In the system that we are building, we do not trust any of the code running on the machine except the enclave code. However, if we allow more than one instance of the enclave to be instantiated on the same machine then it results in our system being vulnerable to some attacks (rollback attacks, to be specific). What we need to have is for the enclave to start up, check if there are any other (identical) enclaves running on the platform, and if there are then abort the operation.
Looking through the Intel® 64 and IA-32 Architectures Software Developer’s Manual shows that there is a unique monotonically increasing EID associated with each enclave's SECS. Is there any function call that we can use to peek at that EID?
Perhaps our system is a bit of an edge case but I think it would be a very useful addition to the platform if such a capability were indeed implemented.
I can't think of a way to do what you want without trusting the OS, our untrusted runtime, or something else.
I am still not sure what your concern though. How would the presence of a different process loading the same enclave binary into their process space affect what you want to do in your enclave in your process space?