Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1371 Discussions

Proper location of destination buffers for sgx_rijndael128GCM_encrypt

DavidCho
Beginner
‎06-28-2020 10:18 PM
601 Views
Solved Jump to solution

Dear Intel SGX Team,

I have a question about the proper usage of SDK function, sgx_rijndael128GCM_encrypt. In the "Intel SGX Developer Reference Guide", there is a description for the function. It says that "It is recommended that the source and destination data buffers are allocated within the enclave". However, what I wonder is that do we need to allocate the destination buffers within the enclave? I think the destination buffer only contains the encrypted data, so it can be allocated outside the enclave memory.

If we can allocate the destination buffer outside the enclave memory, I can use [user_check] for the function in the EDL file. (When I tested the latency difference between [out] and [user_check], it was not a big deal, but the [user_check] was a little bit better)

So, I wanna know why allocating destination buffer within the enclave is recommended. (I'm not sure but is it related to security issues?)

I really appreciate any comments.

Thank you in advance.

Best regards,

David Cho.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎06-30-2020 05:12 PM
583 Views
Solved Jump to solution

Hello David,


It is recommended that the destination be inside the memory space of the enclave in order to not place enclave data into untrusted/unprotected memory space. You are right, the data is encrypted (this is why it's a recommendation rather than a requirement), and you will get better performance using [user check] because with [user check] the compiler does not create the proxy functions to marshal the data across the trust boundaries.


I recommend to read this article for more details on data marshaling: https://software.intel.com/content/www/us/en/develop/articles/intel-software-guard-extensions-tutorial-part-7-refining-the-enclave.html


View solution in original post

Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎06-29-2020 06:27 PM
593 Views
Solved Jump to solution

Hello David,


We are looking into your issue. Please stay tuned.


0 Kudos
Copy link
JesusG_Intel
Moderator
‎06-30-2020 05:12 PM
584 Views
Solved Jump to solution

Hello David,


It is recommended that the destination be inside the memory space of the enclave in order to not place enclave data into untrusted/unprotected memory space. You are right, the data is encrypted (this is why it's a recommendation rather than a requirement), and you will get better performance using [user check] because with [user check] the compiler does not create the proxy functions to marshal the data across the trust boundaries.


I recommend to read this article for more details on data marshaling: https://software.intel.com/content/www/us/en/develop/articles/intel-software-guard-extensions-tutorial-part-7-refining-the-enclave.html


Copy link
DavidCho
Beginner
‎07-02-2020 04:04 AM
576 Views
Solved Jump to solution
In response to JesusG_Intel

Thanks for your kind reply.

It helps me a lot.

Have a good day!

 

Best regards,

David Cho.

In response to JesusG_Intel
0 Kudos
Copy link
Reply

For more complete information about compiler optimizations, see our Optimization Notice.