Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Dvorak_d_
Beginner
56 Views

Question about the Heaven Paper: How does the shield loads OS inside Enclave

Jump to solution

Hi, I have a question about the Heaven Paper: https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-baumann.pdf

If I understood correctly, the process is:
1. Application developer packages everything into an image, and encrypt with a password,  then send the encrypted image to the cloud provider;
2. cloud provider first creates an Enclave, and load it with a "Shield";
3. the "Shield" does the "remote attestation", once all clear, it receives the password that can decrypt the Image. 
4. It basically "boots" the OS/App inside the image. 
5; application runs securely

I'm confused with step 4. Quoting the original text "
The Assuming it was loaded correctly, the shield may now decrypt the VHD key using its private key, and use it to access the contents of the VHD, allowing it to continue to load the LibOS and application."

Just wondering, if code inside the image is encrypted when the enclave is created, how does the enclave make the code "executable" after decryption? This is like asking my C program to execute machine code inside my HEAP, which is mostly forbidden by OS. Is this kind of operation allowed inside the Enclave? (i.e. trusted enclave code can read some blobs from untrusted memory, decrypt it, and place it inside trusted area as CODE instead of DATA, then execute the code?)

Thanks a lot!

-Dvorak

 

0 Kudos

Accepted Solutions
56 Views

We suggest that you direct your question to the authors of the paper.  Thank you for your interest in Intel(r) SGX

-Surenthar.

View solution in original post

1 Reply
57 Views

We suggest that you direct your question to the authors of the paper.  Thank you for your interest in Intel(r) SGX

-Surenthar.

View solution in original post