Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1499 Discussions

How to Properly Use SGX PCL to Guarantee the Confidentiality of Code?

He__Yi
Beginner
‎09-02-2019 02:49 PM
1,854 Views
Solved Jump to solution

Hi!

I'm new to Intel SGX and I'm confused about how to properly use PCL (Protected Code Loader) to protect the confidentiality of code.

It looks like we encrypt the enclave .so file after building and before signing the enclave. But I guess the building environment for an enclave itself is untrusted. Encrypting the .so file means that the code still needs to be exposed in untrusted environment until the enclave is encrypted. It does, indeed, protect loading the enclave later. But if the enclave code can be known in the enclave building process, I'm not sure how protecting enclave loading would help much...

For example one has a confidential algorithm that he wants to execute in cloud. This would require him to create and build an enclave in cloud. How could he protect the confidentiality of the algorithm by applying PCL? I could think of that he first build his dynamically loaded library locally, then encrypt it and transmit it to a cloud enclave. The cloud enclave then decrypt it, dynamically load and execute the library. But system call is not allowed in enclave...

Could you give me some instructions on how to protect the confidentiality of the code?

 

Thank you so much! 

0 Kudos
1 Solution
Scott_R_Intel
Moderator
‎09-03-2019 07:03 AM
1,854 Views
Solved Jump to solution

Hello.

Yes, given the scenario you proposed ("build in the cloud"), your code would not be protected.  But, you should not build in the cloud...  To be secure, you should build/sign/encrypt your algorithm in a trusted environment.  Then, you can deploy the encrypted algorithm securely to any environment, cloud or otherwise.  Utilizing the SGX remote attestation process, you can then securely decrypt the algorithm inside an enclave and execute.

For more info, see the section titled "Enabling Enclave Code Confidentiality" in the latest "Developer Guide" at this link:  https://download.01.org/intel-sgx/latest/linux-latest/docs/

Regards.

Scott

View solution in original post

0 Kudos
Copy link

Link Copied

4 Replies
Scott_R_Intel
Moderator
‎09-03-2019 07:03 AM
1,855 Views
Solved Jump to solution

Hello.

Yes, given the scenario you proposed ("build in the cloud"), your code would not be protected.  But, you should not build in the cloud...  To be secure, you should build/sign/encrypt your algorithm in a trusted environment.  Then, you can deploy the encrypted algorithm securely to any environment, cloud or otherwise.  Utilizing the SGX remote attestation process, you can then securely decrypt the algorithm inside an enclave and execute.

For more info, see the section titled "Enabling Enclave Code Confidentiality" in the latest "Developer Guide" at this link:  https://download.01.org/intel-sgx/latest/linux-latest/docs/

Regards.

Scott

0 Kudos
Copy link
He__Yi
Beginner
‎09-03-2019 07:30 AM
1,854 Views
Solved Jump to solution

Hi, Scott!

Thank you so much for your reply!

Yes you are right. Previously I thought enclave building needs to incorporate the building CPU's information. That was wrong. Enclave building and signing only requires the user's private key and the PCL encryption key file. We can actually distribute the enclave (.so file) to any (untrusted) environment.

 

In this case PCL actually fits our need. From the PCL github repo it seems like PCL will only be supported in SGX2.0 and beyond. We are currently using Intel's SGX developing kit NUC7i7BNH SKU and the prebuild sgx sdk in that kit. Do you know how can we check the sgx version and maybe perform an upgrade? From what I've read, it seems like the support for dynamic memory allocation/management in SGX2.0 are pure software supports. Does it mean that all SGX supported CPUs are eligible to upgrade to sgx2.0 and beyond?

 

Thanks again!

 

Best Regards,

0 Kudos
Copy link
Scott_R_Intel
Moderator
‎09-03-2019 07:50 AM
1,854 Views
Solved Jump to solution

Hello again.

PCL is supported now on current SGX processors (no need for SGX 2.0) and has been incorporated directly into the main SGX code GitHub repo in the SDK and Sample code.  See the links below:

https://github.com/intel/linux-sgx/tree/master/SampleCode/SampleEnclavePCL/

https://github.com/intel/linux-sgx/tree/master/sdk/protected_code_loader

If you were referring to the stand-alone PCL repo (link below), that one is very old and shouldn't be used:

https://github.com/intel/linux-sgx-pcl

Finally, EDMM (Enclave Dynamic Memory Management) support does have to have hardware support as there are new x86 instructions required for it.  A good post/discussion about EDMM support can be found here:  https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/757950

Regards.

Scott

 

0 Kudos
Copy link
He__Yi
Beginner
‎09-03-2019 08:09 AM
1,854 Views
Solved Jump to solution

Gotcha!

For the SGX version in my machine, the sdk still hasn't included PCL (e.g. no sgx_create_encrypted_encalve function).

Do you know how to check the current SGX version on my machine? And would you suggest me to update the SGX on my machine to https://github.com/intel/linux-sgx/ master branch?

 

Thank you so much!

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.