Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

How to call an encalve from another enclave in same application?

bashar__golam
Beginner
‎04-03-2019 04:38 PM
735 Views

I want to call an encalve from another enclave in same application? How? please suggest with code.

0 Kudos

Link Copied

2 Replies
Dr__Greg
Super User
‎04-12-2019 03:10 AM
735 Views

Good morning Golam.

I had seen your post but haven't had the time to reply but wanted to do so.

Doing what you describe requires issuing an OCALL from the first enclave that returns the execution thread to untrusted space.  From there the thread can issue an ECALL to the second enclave to exercise the desired functionality.  The results from that ECALL would then be returned to the first enclave as the return result of the OCALL.

Doing this correctly, ie. in a secure fashion, may require that a security context be created between the two enclaves.  This is where local enclave attestation becomes important.  The goal is to use local attestation to conduct a key exchange between the two enclaves.  This is needed in order for the data passed between the two enclaves to have either integrity and/or confidentiality guarantees with respect to the data being passed back and forth between the two enclaves.

The Intel SDK has examples of how to do local attestation between two local enclaves.

The exception to this architecture is if there is some type of implicit guarantee with respect to the integrity of the data returned to a calling enclave.  For example, our Secure Runtime Development Environment (SRDE) implements direct enclave to enclave communication between disparate hosts using mutual remote attestation.

The enclaves invoke an OCALL in order to return to untrusted space in order to issue a call to the quoting enclave to generate a platform attestation quote.  The remote attestation architecture was designed to return a quote that could be manipulated securely by untrusted code.  As a result there is no need to establish a security contract to protect the communications from the first enclave to the second enclave.

Hopefully the above provides some framing information that you can use to make useful architectural decisions.  Unfortunately the security architecture of SGX precludes the implementation of something as simple as a function call from one enclave to another.

Have a good weekend.

Dr. Greg

 

0 Kudos
Copy link
bashar__golam
Beginner
‎04-13-2019 11:16 AM
735 Views

Dear Dr. Greg,

Thank you for your kind reply.

 I generate a random number in an Enclave2 and want to pass it to the untrusted code (main program) via another Enclave1. I use the local attestation where secure channel, Enclave to Enclave call. message exchange and close session is performed between Enclave1 to Enclave2.
Here , is the edl section of Enclave1 and Enclave2 respectively.

enclave {
    include "sgx_eid.h"
    from "../LocalAttestationCode/LocalAttestationCode.edl" import *;
    trusted{
            public uint32_t test_create_session(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public uint32_t test_enclave_to_enclave_call(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public uint32_t test_message_exchange(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public uint32_t test_close_session(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
    };

};

enclave {
    include "sgx_eid.h"
    from "../LocalAttestationCode/LocalAttestationCode.edl" import *;
    trusted{
            public uint32_t test_create_session(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public uint32_t test_enclave_to_enclave_call(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public uint32_t test_message_exchange(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            public void random_number([out] int *a);
            public uint32_t test_close_session(sgx_enclave_id_t src_enclave_id, sgx_enclave_id_t dest_enclave_id);
            
    };
};

The definition of my random number is in Enclave2.cpp is

....

void random_number(int *a)
{
    sgx_read_rand((unsigned char *)a, 4);
}

...

This is where I am returning the random number from Enclave2 to my main program (app.cpp). However, I want to return the generated random number do this via Enclave 1.

void input_from_user()
{...
    for (j = 0; j<n; j++)
    {
        ....
        Enclave2_random_number(e2_enclave_id, &a);
        ..
        Nodes[1] = (abs(a) % 4) + 1;
        ..

    }
}

**I am using WINDOWS OS.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.