Hello,
How can i keep some data inside the enclave and preserve them between ECALLs? (not nested ECALL -each one returns) For example the only way to do it is by using a global array? Can i use a global pointer, dynamically allocate memory/create new object inside a trusted function and reference it by the global pointer or after the function returns the memory/object referenced by the global pointer will be destroyed as regular C++ runtime environments?
There is a detailed answer in intel/sgx/issues on github. The PowerTransition sample code demonstrates exactly how to use a global variable to keep valid data inside the enclave till it's destruction.
链接已复制
Hi,
I am reaching out to seek assistance and guidance regarding Intel Software Guard Extensions (SGX) technology. I have successfully installed and built the Intel SGX SDK ,SGX Driver and Platform Software (PSW) on my LINUX system as per these instructions ( https://github.com/intel/linux-sgx ) and I've successfully compiled the codes under SampleCode folder, and now I'm interested in creating enclaves to secure data for my applications.
If you can provide me the proper documentation for the C++ codes and their explanation it'll be very helpful.
For Example:
If I write a simple C++ program for addition of two number then where to write the logic and then how to create an enclave for that logic.
Regards,
Ankit
Hi @nyxon
Thanks for the refernce and sorry for the interference , actually I have been stuck on this for past 1 months ,also created seperate thread and waiting for the response but have not received any so asked the query here.
one last thing to ask , I am not getting how to use Intel SGX SDK package for linux to create enclaves such as a program for addition in C++.
there are sample codes in SDK(App.cpp ,Enclave.cpp etc) how to use them.
Can you please help me out ?
Regards
Ankit
You use the already provided makefile with the desired flags, (e.g. make SGX_DEBUG=0 SGX_PRERELEASE=1 SGX_MODE=HW) See simplified structure below. Your code must have these files to be able to be compiled and IF YOU USE the already provided makefile (e.g. use makefile from one of these examples for your own code compilation) you should also respect the folder structure and the file names or else you have to modify the makefile to succeed. Start by modifying the "HelloEnclave" Example app.cpp and enclave.cpp to achieve some custom functionality, make sure it is working as expected and then continue with other examples.
└
└
└
└
└
└
└
└
└
└
└
...
└
Hi Nyxon,
We're received feedback from relevant team.
The direction attribute instructs the trusted edge routines (trusted bridge and trusted proxy) to copy the buffer pointed by the pointer. In order to copy the buffer contents, the trusted edge routines have to know how much data needs to be copied. For this reason, the direction attribute is usually followed by a size or count modifier. If neither of these is provided nor the pointer is NULL, the trusted edge routine assumes a count of one. When a buffer is being copied, the trusted bridge must avoid overwriting enclave memory in an ECALL and the trusted proxy must avoid leaking secrets in an OCALL. To accomplish this goal, pointers passed as ECALL parameters must point to untrusted memory and pointers passed as OCALL parameters must point to trusted memory. If these conditions are not satisfied, the trusted bridge and the trusted proxy will report an error at runtime, respectively, and the ECALL and OCALL functions will not be executed.
You may use the direction attribute to trade protection for performance. Otherwise, you must use the user_check attribute described below and validate the data obtained from untrusted memory via pointers before using it, since the memory a pointer points to could change unexpectedly because it is stored in untrusted memory. However, the direction attribute does not help with structures that contain pointers. In this scenario, you have to validate and copy the buffer contents, recursively if needed, yourself. Alternatively, you can define a structure that can be deep copied.
On another note, C++ objects are not supported in enclave interface definitions. If an application needs to pass a C++ object across the enclave boundary, you are recommended to store the C++ object’s data in a C struct and marshal the data across the enclave interface. Then you need to instantiate the C++ object inside the enclave with the marshaled C struct passed into the constructor (or you may update existing instantiated objects with appropriate operators).
For more information, please refer to the following page in Intel® Software Guard Extensions (Intel® SGX) SDK
- Page 45 - Pointer Handling
- Page 56 - Structure Deep Copy
- Page 133 - C++ Language Support
Regards,
Wan
@Wan_Intel Hello and thank you for your reply. The provided info are important, but i want to know specifically about global variables inside the enclave.
For example if i have defined a global array _global_array[10] and a _global_counter=0 in the enclave.cpp
and invoke an ECALL to initialise the first element of the array and increase the counter and return and then invoke again an ECALL and initialise the second element and increase the counter again will this work? Or after the first ECALL returns, global variables content will be destroyed?
There is a detailed answer in intel/sgx/issues on github. The PowerTransition sample code demonstrates exactly how to use a global variable to keep valid data inside the enclave till it's destruction.
Hi Nyxon,
Thanks for sharing the information in the community.
Glad to know that your issue has been resolved. If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.
Regards,
Wan
