- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
How can i keep some data inside the enclave and preserve them between ECALLs? (not nested ECALL -each one returns) For example the only way to do it is by using a global array? Can i use a global pointer, dynamically allocate memory/create new object inside a trusted function and reference it by the global pointer or after the function returns the memory/object referenced by the global pointer will be destroyed as regular C++ runtime environments?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a detailed answer in intel/sgx/issues on github. The PowerTransition sample code demonstrates exactly how to use a global variable to keep valid data inside the enclave till it's destruction.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nyxon,
Thanks for reaching out to us.
Let me check with relevant team and I'll update you at the earliest.
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am reaching out to seek assistance and guidance regarding Intel Software Guard Extensions (SGX) technology. I have successfully installed and built the Intel SGX SDK ,SGX Driver and Platform Software (PSW) on my LINUX system as per these instructions ( https://github.com/intel/linux-sgx ) and I've successfully compiled the codes under SampleCode folder, and now I'm interested in creating enclaves to secure data for my applications.
If you can provide me the proper documentation for the C++ codes and their explanation it'll be very helpful.
For Example:
If I write a simple C++ program for addition of two number then where to write the logic and then how to create an enclave for that logic.
Regards,
Ankit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nyxon
Thanks for the refernce and sorry for the interference , actually I have been stuck on this for past 1 months ,also created seperate thread and waiting for the response but have not received any so asked the query here.
one last thing to ask , I am not getting how to use Intel SGX SDK package for linux to create enclaves such as a program for addition in C++.
there are sample codes in SDK(App.cpp ,Enclave.cpp etc) how to use them.
Can you please help me out ?
Regards
Ankit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You use the already provided makefile with the desired flags, (e.g. make SGX_DEBUG=0 SGX_PRERELEASE=1 SGX_MODE=HW) See simplified structure below. Your code must have these files to be able to be compiled and IF YOU USE the already provided makefile (e.g. use makefile from one of these examples for your own code compilation) you should also respect the folder structure and the file names or else you have to modify the makefile to succeed. Start by modifying the "HelloEnclave" Example app.cpp and enclave.cpp to achieve some custom functionality, make sure it is working as expected and then continue with other examples.
└
└
└
└
└
└
└
└
└
└
└
...
└
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nyxon,
We're received feedback from relevant team.
The direction attribute instructs the trusted edge routines (trusted bridge and trusted proxy) to copy the buffer pointed by the pointer. In order to copy the buffer contents, the trusted edge routines have to know how much data needs to be copied. For this reason, the direction attribute is usually followed by a size or count modifier. If neither of these is provided nor the pointer is NULL, the trusted edge routine assumes a count of one. When a buffer is being copied, the trusted bridge must avoid overwriting enclave memory in an ECALL and the trusted proxy must avoid leaking secrets in an OCALL. To accomplish this goal, pointers passed as ECALL parameters must point to untrusted memory and pointers passed as OCALL parameters must point to trusted memory. If these conditions are not satisfied, the trusted bridge and the trusted proxy will report an error at runtime, respectively, and the ECALL and OCALL functions will not be executed.
You may use the direction attribute to trade protection for performance. Otherwise, you must use the user_check attribute described below and validate the data obtained from untrusted memory via pointers before using it, since the memory a pointer points to could change unexpectedly because it is stored in untrusted memory. However, the direction attribute does not help with structures that contain pointers. In this scenario, you have to validate and copy the buffer contents, recursively if needed, yourself. Alternatively, you can define a structure that can be deep copied.
On another note, C++ objects are not supported in enclave interface definitions. If an application needs to pass a C++ object across the enclave boundary, you are recommended to store the C++ object’s data in a C struct and marshal the data across the enclave interface. Then you need to instantiate the C++ object inside the enclave with the marshaled C struct passed into the constructor (or you may update existing instantiated objects with appropriate operators).
For more information, please refer to the following page in Intel® Software Guard Extensions (Intel® SGX) SDK
- Page 45 - Pointer Handling
- Page 56 - Structure Deep Copy
- Page 133 - C++ Language Support
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Wan_Intel Hello and thank you for your reply. The provided info are important, but i want to know specifically about global variables inside the enclave.
For example if i have defined a global array _global_array[10] and a _global_counter=0 in the enclave.cpp
and invoke an ECALL to initialise the first element of the array and increase the counter and return and then invoke again an ECALL and initialise the second element and increase the counter again will this work? Or after the first ECALL returns, global variables content will be destroyed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nyxon,
Thanks for the information.
Let me check with relevant team and I'll update you as soon as possible.
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ankit_17,
Thanks for reaching out to us.
Please open a new thread so we can support you in a new thread.
Regards,
Wan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a detailed answer in intel/sgx/issues on github. The PowerTransition sample code demonstrates exactly how to use a global variable to keep valid data inside the enclave till it's destruction.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nyxon,
Thanks for sharing the information in the community.
Glad to know that your issue has been resolved. If you need any additional information from Intel, please submit a new question as this thread will no longer be monitored.
Regards,
Wan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page