Community
cancel
Showing results for 
Search instead for 
Did you mean: 
mzaman
Novice
291 Views

Rest API or HTTP API call from inside the enclave

Jump to solution

Hi,

Is it possible to make Rest/ HTTP api call from inside the SGX enclave?

Thanks,

Mzaman

Labels (2)
0 Kudos

Accepted Solutions
JesusG_Intel
Moderator
252 Views

Hello mzaman,


Yes.


Specify the --search_path for the sgx_edger8r tool so that it can find the edl files. Modify this line in the Makefile accordingly:


$(SGX_EDGER8R) --search-path $(SGXSDK_INCDIR) $(SGX_EDGER8R_FLAGS) --untrusted $<


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

13 Replies
JesusG_Intel
Moderator
270 Views

Hello Mzaman,

It is not possible to make calls directly to the outside world from inside an enclave. You must create ocalls from the enclave to your application, then the application can make the REST API or HTTP requests on behalf of the enclave.

 

Sincerely,

Jesus G.

Intel Customer Support

 

mzaman
Novice
258 Views

Hi Jesus G.

So, I was trying to write an ocall as you said on the sgx-ra-sample example. When I am trying to import another .edl file it's showing file not found within the search paths. I am following the developers guide format.

from"../../sys/other_secure_comms.edl"import*;

Do I need to change the make file in sgx-ra-sample example?

Thanks,

Mzaman

JesusG_Intel
Moderator
253 Views

Hello mzaman,


Yes.


Specify the --search_path for the sgx_edger8r tool so that it can find the edl files. Modify this line in the Makefile accordingly:


$(SGX_EDGER8R) --search-path $(SGXSDK_INCDIR) $(SGX_EDGER8R_FLAGS) --untrusted $<


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

JesusG_Intel
Moderator
243 Views

Hello mzaman,


Did my previous suggestion help you fix your issue?


Sincerely,

Jesus G.

Intel Customer Support


mzaman
Novice
239 Views

Hi Jesus G,

Thanks for the suggestion it's solving the issue. I am still working on to create a client inside enclave through OCALL. If you have any recommendation or sample code regarding this please let me know.

Thanks,

Mzaman

JesusG_Intel
Moderator
234 Views

Hello Mzaman,


I recommend to look at the sample programs provided with the SGX SDK for guidance. I don't have sample code beyond that.


The Intel SGX Developer Reference Guide for Linux in the Documentation section of the latest release in Intel® Software Guard Extensions SDK for Linux* is very helpful.


Sincerely,

Jesus G.

Intel Customer Support


JesusG_Intel
Moderator
229 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


is_0054
Beginner
195 Views

Hello @JesusG_Intel 

I have a situation:

I have a scenario that I must connect to a web server and I need to keep the response data safe. I also need to process the data in the trusted part. The possibility of making an HTTP request from the enclave solve the issue, however, you said that:

"It is not possible to make calls directly to the outside world from inside an enclave. You must create ocalls from the enclave to your application, then the application can make the REST API or HTTP requests on behalf of the enclave."

from my point of view, the SSL connection will keep the data safe during the transmission, however, once I read it in the untrusted code, the data can no longer be considered safe.

I am new to sgx technology and I know intel won't allow this security risk. What I am missing ? Can you guide me on how to make a safe HTTP  request using sgx?

Thanks

mzaman
Novice
144 Views

Hi is_0054,

I am also beginner in sgx.

May be you can open a server in the enclave which will protect the data as sgx claims.

I could be wrong.

Thanks

Mzaman

is_0054
Beginner
140 Views

hey @mzaman 

But According @JesusG_Intel it is not possible to make a HTTP call to the outside world from the enclave

mzaman
Novice
132 Views

Hi,

You need to create ocalls for contacting with the outer world/application.

That's what I understand.

Regards,

Mzaman

is_0054
Beginner
127 Views

yes, but in that case, I will receive the data in the application, which means the untrusted part. However, one of the requirements is that the data needs to be secure at all times. I can not have the data in the application.

Then I facing a dilemma. I can't do the HTTP request from the enclave, but I need to have the received data safe, which means that the data must be received from the trusted part, where is no way to make the call..

I don't know if is a misunderstanding of my concepts.

JesusG_Intel
Moderator
104 Views

Hello is_0054 and mzaman,

These follow-up questions are being addressed in this thread: https://community.intel.com/t5/Intel-Software-Guard-Extensions/http-request-call-in-a-sgx-applicatio....