Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1268 Discussions

How do enclaves IPC without the help of system's help

Sam5
New Contributor I
‎07-19-2016 09:58 PM
277 Views
Solved Jump to solution

Hi,

Using Innovative Instructions to Create Trustworthy Software Solutions - 

  1. In this paper, mentioned that we have a trusted channel between enclave and remote server. But if socket stuff is not allowed, how does an enclave communicate with the remote server?
  2. How does an enclave communicate with local enclaves? The manual said one need to pass REPORT to another in order to attest, but how is this done without system's help?

-Thanks

0 Kudos
1 Solution
Surenthar_S_Intel
Employee
‎07-19-2016 10:02 PM
277 Views
Solved Jump to solution

Hi Sam,

Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link

Link Copied

2 Replies
Surenthar_S_Intel
Employee
‎07-19-2016 10:02 PM
278 Views
Solved Jump to solution

Hi Sam,

Called trusted path is established on top of untrusted path offered by OS (traditional IPC between applications), with cryptographic protection (keys are only known to enclaves). In Local attestation samples available in Intel SGX SDK. The enclave that wants to prove that it is running inside an enclave on an Intel CPU, creates a report inside the enclave(EREPORT). The report does not have any secret in it, but it is MAC'd using the report key, which is accessible and generated inside the enclave . The report is sent to the other enclave through the untrusted channel(Ie, OS provided IPC), and then the report is verified inside the other enclave, which has access to the same report key(shared secret) inside the enclave and can verify the structure integrity using the MAC and report key(shared secret between enclaves). If all the information in the report matches, the two enclaves can trust that they run on the same SGX platform. They can then perform key exchange like DH key exchange or any other way to establish a secure channel and they can communicate with each other securely.

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
Copy link
Sam5
New Contributor I
‎07-19-2016 11:01 PM
277 Views
Solved Jump to solution

Thanks for your detailed information

0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.