In the developer Guide (chapter Programming Model) is stated that the untrusted code selects the thread context to be used within the enclave.
1. Can someone explain me explain me how i can select that Thread context for enclaves?
2. Also is this a security problem? The other lists in Programming Models are naming some security related facts like: "A bug in the TCB can compromise the hole enclave, so keep it small". Is there also a security problem because the untrusted code seelcts the thread context?
Here is the definition of a Thread Context:
- Thread Control Structure (TCS)
- Thread Data/Thread Local Storage – data within the enclave and specific to the thread
- State Save Area (SSA) – a data buffer which holds register state when - 4 - an enclave must exit due to an interrupt or exception
- Stack – a stack located within the enclave
Please refer the Intel SGX Developer Reference guide (https://software.intel.com/en-us/documentation/sgx-sdk-developer-reference) "Enclave Settings" and "Enclave Configuration File" Topic for your reference.
Letting the untrusted code select the Thread Context is not a security risk, because:
- All thread contexts are equivalent, i.e. it doesn't matter which one the untrusted code chooses.
- The untrusted code cannot modify any area of a thread context.
The enclave controls what happens inside the enclave but it cannot control what happens outside, i.e. how enclave calls are made (what thread context, when, in what order, etc.).