Showing results for 
Search instead for 
Did you mean: 

Intel SGX related


I am new to Intel SGX technology and was exploring various features offered by it. I wanted to develop an emulator which could approximately emulate few features offered by SGX.

I wanted to start off really with a very simple scenario. I wanted to know how would a read/write system call work inside an enclave. I dont see any reference manual mentioning about how general system call would work inside an enclave. I understand that there are some instructions used to create/destroy/debug/manage enclaves. But what about basic system call working. So, in particular, I want to know how would basic system calls like read/write initiated inside enclave would work -- The Flow? Who handles them? How is it handled? What are the components visible outside the enclave? How is it transformed if its containing any sensitive data? What is it transformed to -- Synthetic State means? How is the Stack Switch happens? 

According to my understanding, the TCB in SGX is just Intel platform and the application running inside an enclave. But in order to service the system calls, there has to be interaction between application running inside the enclave with the host OS/VMM. I dont completely get the transformations that occur at this boundary.

I went through the programming manual for SGX and few white papers,have a crude understanding and would like to have a clear cut understanding of it. Kindly share your experience in this regard.


0 Kudos
2 Replies

In SGX, an enclave (secure container) only contains the private data in a computation and the code that operates on it. To avoid leaking private data, a CPU that is executing enclave code does not directly service an interrupt, fault(e.g., a page fault) or VM exit. So in Your case of system calls for read/write operation is same as interrupt which is not supported within Enclave. (IO operations are not supported by SGX)

But SGX includes instructions to let you temporarily exit the enclave in order to call untrusted code so that you can perform I/O, make general system calls, etc. and then return to the enclave. This imposes a performance penalty, and you are executing untrusted code during this time (which is not protected by SGX), so this should only be done when necessary and the amount of time spent outside the enclave should be minimized.


Why working on an emulator if there is already simulation mode? Apart from platform services you can compile & test pretty much everything on SGX functionality wise. It comes with the free SDK you can install as plugin to VS 2012