- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I wrote a simple SSL program using Windows Schannel (just created socket and do SSL handshake). It worked well without loading enclave. However, when the program loaded enclave, it failed at "AcquireCredentialHandle" and never returned. It has troubled me for several days and still not solved.
Does anybody know why and how to solve it?
thx a lot.
-Huorong Li
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PS:
I'm sure that the problem was caused by calling "sgx_create_enclave" in my DLL, and I found an useful info from "Intel SGX SDK Developer Reference for Windows OS v1.7.pdf":
Do not call the sgx_create_enclave function as part of initialization of a
DLL. For instance, sgx_create_enclave hangs when it is called from the
global object constructor of a C++ class in a DLL.
And I've tried put "sgx_create_enclave" in different place in DLL, but all failed. What does "initialization of a DLL" actually mean? Does it mean that we should NOT call "sgx_create_enclave" in a DLL? if not, what is the right way to call "sgx_create_enclave" in a DLL?
Thx,
-Huorong Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sgx_create_enclave function can't be called as part of initialization of a application DLL. In a process, we can't a DLL, while another DLL
loading/initialization is in progress. This constrains is applicable to non SGX application also.
We can call "sgx_create_enclave" from other part of application DLL except the DLL initialization code."sgx_create_enclave" is part of
untrusted the library (URts). We can add required untrusted library in the project settings and header file ("sgx_urts.h") in the application
DLL and can call the "sgx_create_enclave" in application DLL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prabu Rajathirumoni wrote:
sgx_create_enclave function can't be called as part of initialization of a application DLL. In a process, we can't a DLL, while another DLL
loading/initialization is in progress. This constrains is applicable to non SGX application also.We can call "sgx_create_enclave" from other part of application DLL except the DLL initialization code."sgx_create_enclave" is part of
untrusted the library (URts). We can add required untrusted library in the project settings and header file ("sgx_urts.h") in the application
DLL and can call the "sgx_create_enclave" in application DLL.
Hi Prabu Rajathirumoni,
Thanks for your reply.
However, I'm still not clear what "part of initialization of a application DLL" means. Could you give me an example?. For example, Windows DLL's entry is DLLMain, is it right the "part of initialization of a application DLL", and the code in DLLMain is so-called "DLL initialization code"?
PS: I use Visual Studio 2015 with SGX SDK, and it seems that sgx librares are add to project settings by default.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please read:
https://msdn.microsoft.com/en-us/library/windows/desktop/dn633971(v=vs.85).aspx
Basically, if you write a DLL when that DLL gets loaded, its DllMain() method is called automatically. Inside that DllMain(), you cannot load another DLL. The URL above has more details of additional restrictions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Francisco C. (Intel) wrote:
Please read:
https://msdn.microsoft.com/en-us/library/windows/desktop/dn633971(v=vs.85).aspx
Basically, if you write a DLL when that DLL gets loaded, its DllMain() method is called automatically. Inside that DllMain(), you cannot load another DLL. The URL above has more details of additional restrictions.
Thanks.
Still, I'm sure that I do NOT call sgx_create_enclave in DllMain. Here's my DllMain function:
BOOL WINAPI DllMain(
IN CONST HINSTANCE hInstDLL,
IN CONST DWORD dwReason,
IN CONST LPVOID lpvReserved
)
{
UNREFERENCED_PARAMETER(lpvReserved);
if (dwReason == DLL_PROCESS_ATTACH)
{
srand(time(NULL));
}
else if (dwReason == DLL_PROCESS_DETACH)
{}
return TRUE;
}
However, no mater where I placed sgx_create_enclave to, it always failed and once I commented the code, it success.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume that wrapper function containing "sgx_create_enclave" is defined in your application DLL.For enclave loading and initialization, this wrapper function is called from Application source.
Please check the below link for loading the enclave through application(C#) dll
https://software.intel.com/en-us/articles/csharp-application-with-intel-software-guard-extension
This writeup is written based on loading an enclave from C# application source by writting managed and unmanaged code (both are dlls).If your application is written in C/C++, then there is no need for managed/unmanaged code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do use native C/C++, not C#, and I'm sure sgx_create_enclave is not called directly or indirectly in DllMain, which is the initialization part of the DLL.
Prabu Rajathirumoni wrote:
I assume that wrapper function containing "sgx_create_enclave" is defined in your application DLL.For enclave loading and initialization, this wrapper function is called from Application source.
Please check the below link for loading the enclave through application(C#) dll
https://software.intel.com/en-us/articles/csharp-application-with-intel-software-guard-extension
This writeup is written based on loading an enclave from C# application source by writting managed and unmanaged code (both are dlls).If your application is written in C/C++, then there is no need for managed/unmanaged code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the above shared write-up uses the DLL written in C/C++ to call the enclave, I thought it might be useful for your reference.
Could you please share me the "App->DLL->Enclave" communication part of the code , let me try to fix the issue ? . Otherwise I can build a simple Intel SGX application with a light weight application DLL that calls enclave.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for your help.
My DLL is implemented as a CNG Provider. Basically, It should be used in CNG context i.e. "App->CNG->DLL->Enclave". However, to make the CNG Provider DLL available to App, especially for App using Schannel to do TLS, a lot configuration should be done on OS, including installing kernel mode drivers.
I have done such tests (both "App->DLL->Enclave" and "App->CNG->DLL->Enclave", App not calling AcquireCredentialHandle) with My DLL. Both of them did work. It's almost sure that in AcquireCredentialHandle context, something breaks the sgx_create_enclave "calling rule".
For AcquireCredentialHandle, not useful feedback from Microsoft currently.
PS:
I've partly solved this problem by using following trick:
Create enclave in App main routine, save the handle (enclave id) to a file. The DLL get the handle from the file.
However, it requires that creating enclave MUST be in the same process with the DLL. So it does not apply in Windows native application like IE.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page