Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Google Native Client (NaCl) modules using SGX Enclaves

Rafael_C_
Beginner
‎02-23-2017 06:31 AM
485 Views
Hi, I'm trying to make an PNaCl module that uses functions that run inside SGX Enclaves (ECALLs) but without any success so far. I'm not sure if this is possible considering NaCl's compiler specificities and the fact that both technologies works with memory access constrains. To make this possible I think enclave memory should be entirely inside the NaCl module limits. 
 
I'm using the linux sgx sdk. A regular SGX application uses the executable file and a signed.enclave.so library. Is it possible to compile the signed.enclave.so using NaCl compiler and then unite it with the main application in a single nexe/pexe file?
 
Also, is it possible to take advantage of the sgx sdk libraries using the pnacl-ar and pnacl-ranlib tools?
 
Does anyone has ever tried something like this? Any sucesses? Ideas on how to do it?
 
Thanks a lot.
0 Kudos

Link Copied

1 Reply
Surenthar_S_Intel
Employee
‎02-28-2017 09:02 PM
485 Views

Hi,

Enclaves must be 100% native code, with no dependancies on shared libraries. There are no exceptions to these restrictions. The linkages to the ECALLs in your enclave, and the OCALLs made from your enclave, must be 100% native C (not C++) code. There are no exceptions to this restriction and perhaps most important, enclaves have to be built using the trusted C and C++ libraries provided by Intel. They are built to provide C/C++ libraries that do not contain instructions and operations that are not legal inside of enclaves. There's really not a practical way to "build" an enclave outside of the process.

-Surenthar

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.