Community
Register Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sam5
New Contributor I
‎07-19-2016 09:58 PM
71 Views

How do enclaves IPC without the help of system's help

Jump to solution

Hi,

Using Innovative Instructions to Create Trustworthy Software Solutions - 

  1. In this paper, mentioned that we have a trusted channel between enclave and remote server. But if socket stuff is not allowed, how does an enclave communicate with the remote server?
  2. How does an enclave communicate with local enclaves? The manual said one need to pass REPORT to another in order to attest, but how is this done without system's help?

-Thanks

0 Kudos
Reply

Link Copied


Accepted Solutions
Surenthar_S_Intel
Employee
‎07-19-2016 10:02 PM
71 Views

Jump to solution

Hi Sam,

Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link
Reply
2 Replies
Surenthar_S_Intel
Employee
‎07-19-2016 10:02 PM
72 Views

Jump to solution

Hi Sam,

Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link
Reply
Sam5
New Contributor I
‎07-19-2016 11:01 PM
71 Views

Jump to solution

Thanks for your detailed information

0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.