Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Is there a way to directly access data in the Untrust area from Enclave without copying the data?

wwfbear789
Beginner
‎05-28-2022 08:49 AM
701 Views
Solved Jump to solution

"Intel® Software Guard Extensions (Intel® SGX) SDK
for Linux* OS" contains the following statement

"The direction attribute instructs the trusted edge-routines (trusted bridge and trusted proxy) to copy the buffer pointed by the pointer. In order to copy the buffer contents, the trusted edge-routines have to know how much data needs to be copied. For this reason, the direction attribute is usually followed by a size or count modifier. If neither of these is provided nor the pointer is NULL, the trusted edge-routine assumes a count of one. When a buffer is being copied, the trusted bridge must avoid overwriting enclave memory in an ECALL and the trusted proxy must avoid leaking secrets in an OCALL. To accomplish this goal, pointers passed as ECALL parameters must point to untrusted memory and pointers passed as OCALL parameters must point to trusted memory. If these conditions are not satisfied, the trusted bridge and the trusted proxy will report an error at runtime, respectively, and the ECALL and OCALL functions will not be executed."

 

However, in the SGX application I am developing right now, the Enclave process handles Untrust's large data. At this time, if that data is copied within Enclave, a lot of Enclave will be used. Is there a way to directly process the data in the Untrust area without causing data copying? I am having a very difficult time with this and would like someone to help me out.

Labels (2)
Labels:
0 Kudos
1 Solution
Sahira_Intel
Moderator
‎06-01-2022 12:06 PM
657 Views
Solved Jump to solution

Hi,


You would have to allocate enough EPC for the data you are working with. The SGX Kernel Module and runtime supports paging so if the system runs out of EPC, it can utilize normal OS paging mechanisms to securely page EPC memory out to disk which would free up some EPC.

You could theoretically work on data in untrusted memory from within the enclave depending on the usage, but the enclave would only be able to access the untrusted application but the untrusted application could not read the enclave memory.


Hope this is helpful

Sincerely,

Sahira


View solution in original post

0 Kudos
Copy link

Link Copied

1 Reply
Sahira_Intel
Moderator
‎06-01-2022 12:06 PM
658 Views
Solved Jump to solution

Hi,


You would have to allocate enough EPC for the data you are working with. The SGX Kernel Module and runtime supports paging so if the system runs out of EPC, it can utilize normal OS paging mechanisms to securely page EPC memory out to disk which would free up some EPC.

You could theoretically work on data in untrusted memory from within the enclave depending on the usage, but the enclave would only be able to access the untrusted application but the untrusted application could not read the enclave memory.


Hope this is helpful

Sincerely,

Sahira


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.