Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Rest API or HTTP API call from inside the enclave

mzaman
Novice
2,728 Views

Hi,

Is it possible to make Rest/ HTTP api call from inside the SGX enclave?

Thanks,

Mzaman

Labels (2)
0 Kudos
1 Solution
JesusG_Intel
Moderator
2,689 Views

Hello mzaman,


Yes.


Specify the --search_path for the sgx_edger8r tool so that it can find the edl files. Modify this line in the Makefile accordingly:


$(SGX_EDGER8R) --search-path $(SGXSDK_INCDIR) $(SGX_EDGER8R_FLAGS) --untrusted $<


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
13 Replies
JesusG_Intel
Moderator
2,707 Views

Hello Mzaman,

It is not possible to make calls directly to the outside world from inside an enclave. You must create ocalls from the enclave to your application, then the application can make the REST API or HTTP requests on behalf of the enclave.

 

Sincerely,

Jesus G.

Intel Customer Support

 

0 Kudos
mzaman
Novice
2,695 Views

Hi Jesus G.

So, I was trying to write an ocall as you said on the sgx-ra-sample example. When I am trying to import another .edl file it's showing file not found within the search paths. I am following the developers guide format.

from"../../sys/other_secure_comms.edl"import*;

Do I need to change the make file in sgx-ra-sample example?

Thanks,

Mzaman

0 Kudos
is_0054
Beginner
2,632 Views

Hello @JesusG_Intel 

I have a situation:

I have a scenario that I must connect to a web server and I need to keep the response data safe. I also need to process the data in the trusted part. The possibility of making an HTTP request from the enclave solve the issue, however, you said that:

"It is not possible to make calls directly to the outside world from inside an enclave. You must create ocalls from the enclave to your application, then the application can make the REST API or HTTP requests on behalf of the enclave."

from my point of view, the SSL connection will keep the data safe during the transmission, however, once I read it in the untrusted code, the data can no longer be considered safe.

I am new to sgx technology and I know intel won't allow this security risk. What I am missing ? Can you guide me on how to make a safe HTTP  request using sgx?

Thanks

0 Kudos
mzaman
Novice
2,581 Views

Hi is_0054,

I am also beginner in sgx.

May be you can open a server in the enclave which will protect the data as sgx claims.

I could be wrong.

Thanks

Mzaman

0 Kudos
is_0054
Beginner
2,577 Views

hey @mzaman 

But According @JesusG_Intel it is not possible to make a HTTP call to the outside world from the enclave

0 Kudos
mzaman
Novice
2,569 Views

Hi,

You need to create ocalls for contacting with the outer world/application.

That's what I understand.

Regards,

Mzaman

0 Kudos
is_0054
Beginner
2,564 Views

yes, but in that case, I will receive the data in the application, which means the untrusted part. However, one of the requirements is that the data needs to be secure at all times. I can not have the data in the application.

Then I facing a dilemma. I can't do the HTTP request from the enclave, but I need to have the received data safe, which means that the data must be received from the trusted part, where is no way to make the call..

I don't know if is a misunderstanding of my concepts.

0 Kudos
JesusG_Intel
Moderator
2,541 Views
0 Kudos
JesusG_Intel
Moderator
2,690 Views

Hello mzaman,


Yes.


Specify the --search_path for the sgx_edger8r tool so that it can find the edl files. Modify this line in the Makefile accordingly:


$(SGX_EDGER8R) --search-path $(SGXSDK_INCDIR) $(SGX_EDGER8R_FLAGS) --untrusted $<


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
2,680 Views

Hello mzaman,


Did my previous suggestion help you fix your issue?


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
mzaman
Novice
2,676 Views

Hi Jesus G,

Thanks for the suggestion it's solving the issue. I am still working on to create a client inside enclave through OCALL. If you have any recommendation or sample code regarding this please let me know.

Thanks,

Mzaman

0 Kudos
JesusG_Intel
Moderator
2,671 Views

Hello Mzaman,


I recommend to look at the sample programs provided with the SGX SDK for guidance. I don't have sample code beyond that.


The Intel SGX Developer Reference Guide for Linux in the Documentation section of the latest release in Intel® Software Guard Extensions SDK for Linux* is very helpful.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
JesusG_Intel
Moderator
2,666 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply