Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1345 Discussions

Is there a way to directly access data in the Untrust area from Enclave without copying the data?

wwfbear789
Beginner
265 Views

"Intel® Software Guard Extensions (Intel® SGX) SDK
for Linux* OS" contains the following statement

"The direction attribute instructs the trusted edge-routines (trusted bridge and trusted proxy) to copy the buffer pointed by the pointer. In order to copy the buffer contents, the trusted edge-routines have to know how much data needs to be copied. For this reason, the direction attribute is usually followed by a size or count modifier. If neither of these is provided nor the pointer is NULL, the trusted edge-routine assumes a count of one. When a buffer is being copied, the trusted bridge must avoid overwriting enclave memory in an ECALL and the trusted proxy must avoid leaking secrets in an OCALL. To accomplish this goal, pointers passed as ECALL parameters must point to untrusted memory and pointers passed as OCALL parameters must point to trusted memory. If these conditions are not satisfied, the trusted bridge and the trusted proxy will report an error at runtime, respectively, and the ECALL and OCALL functions will not be executed."

 

However, in the SGX application I am developing right now, the Enclave process handles Untrust's large data. At this time, if that data is copied within Enclave, a lot of Enclave will be used. Is there a way to directly process the data in the Untrust area without causing data copying? I am having a very difficult time with this and would like someone to help me out.

Labels (2)
0 Kudos
1 Solution
Sahira_Intel
Moderator
221 Views

Hi,


You would have to allocate enough EPC for the data you are working with. The SGX Kernel Module and runtime supports paging so if the system runs out of EPC, it can utilize normal OS paging mechanisms to securely page EPC memory out to disk which would free up some EPC.

You could theoretically work on data in untrusted memory from within the enclave depending on the usage, but the enclave would only be able to access the untrusted application but the untrusted application could not read the enclave memory.


Hope this is helpful

Sincerely,

Sahira


View solution in original post

1 Reply
Sahira_Intel
Moderator
222 Views

Hi,


You would have to allocate enough EPC for the data you are working with. The SGX Kernel Module and runtime supports paging so if the system runs out of EPC, it can utilize normal OS paging mechanisms to securely page EPC memory out to disk which would free up some EPC.

You could theoretically work on data in untrusted memory from within the enclave depending on the usage, but the enclave would only be able to access the untrusted application but the untrusted application could not read the enclave memory.


Hope this is helpful

Sincerely,

Sahira


Reply