Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Memset-ing on enclaves

Elephant
Beginner
‎11-23-2017 05:19 PM
669 Views
Solved Jump to solution

hi,

I noticed on a lot of sgx code examples that they explicitly memset allocated variables to 0 before leaving the trusted zone. Any insight on this?  Ithought enclaves' EPC is protected and doing memsets will reduce performance of applications.

Thanks!

Kind Regards,

Elephant 

0 Kudos
1 Solution
Hoang_N_Intel
Employee
‎12-12-2017 12:43 AM
669 Views
Solved Jump to solution

The reason of using memset is documented in the SGX Developer Guide at https://download.01.org/intel-sgx/linux-1.9/docs/Intel_SGX_Developer_Guide.pdf under the section of "Disposal of Enclave Secrets".

Here is an excerpt: "The enclave writer must use the memset_s() function to clear any variable that contained secret data. The use of this function guarantees that the compiler will not optimize away the write to memory intended by this function call and thus ensuring the secret data is cleared. Using memset_s() is especially important when secret data is stored in a dynamically allocated buffer"

View solution in original post

0 Kudos
Copy link

Link Copied

1 Reply
Hoang_N_Intel
Employee
‎12-12-2017 12:43 AM
670 Views
Solved Jump to solution

The reason of using memset is documented in the SGX Developer Guide at https://download.01.org/intel-sgx/linux-1.9/docs/Intel_SGX_Developer_Guide.pdf under the section of "Disposal of Enclave Secrets".

Here is an excerpt: "The enclave writer must use the memset_s() function to clear any variable that contained secret data. The use of this function guarantees that the compiler will not optimize away the write to memory intended by this function call and thus ensuring the secret data is cleared. Using memset_s() is especially important when secret data is stored in a dynamically allocated buffer"

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.