Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Running none debug enclaves on my local machine

Ofir_W_
Beginner
‎09-09-2016 10:43 AM
409 Views

Hello,

It was said in this forum that a launch enclave could potentially let any enclave run on the system:

In the SGX spec, Intel will need to provide an Intel-signed launch enclave to make SGX usable. This enclave will use EGETKEY to acquire the launch key for that processor and sign enclaves to allow them to run there. If that launch enclave isn't trying to enforce any particular policy about what enclaves can and can't run, it's actually a trivial piece of code. A basic launch enclave only requires user/enclave calling convention and an enclave CMAC implementation, both of which are simple and fundamental to any useful SGX implementation.

As the process of acquiring a production grade license is complex, I am looking for ways to test my code in non debug mode:

  1. Is it possible to get such a Intel-signed launch enclave that will allow me to test my enclave code in a non-debug enclave? It is ok if it just runs on my machine.
  2. Is there another way, like an existing server that is publicly available, to run my enclave code in non debug mode?

Thank you for your help!

Ofir

0 Kudos

Link Copied

3 Replies
Surenthar_S_Intel
Employee
‎09-10-2016 04:45 AM
409 Views

Hi,

#1. Is it possible to get such a Intel-signed launch enclave that will allow me to test my enclave code in a non-debug enclave? It is ok if it just runs on my machine.

  • The attestation service is available to all SGX developers. For developers that have built their enclaves and are ready to access the Intel Attestation Verification Service referenced in the paper, please contact intel.developer.services@intel.com for additional information.

#2. Is there another way, like an existing server that is publicly available, to run my enclave code in non debug mode?

  • For testing remote attestation, Sandbox is available for testing purpose Goto : https://software.intel.com/formfill/sgx-onboarding. This link is available from the SGX landing zone (software.intel.com/sgx). Go to “Resource Library” and then select “Access Development Services” from the sidebar.

-Surenthar

0 Kudos
Copy link
Ofir_W_
Beginner
‎09-10-2016 04:03 PM
409 Views

Thank you for that answer.

My question was not regarding the attestation service, but regarding running the enclave in non-debug mode.

What is your answer in that case?

Thank you,

Ofir

0 Kudos
Copy link
Surenthar_S_Intel
Employee
‎09-13-2016 10:06 PM
409 Views

Hi Offir,

To debug enclave code,  pls. note you do need to load the enclave in debug mode. If you load enclave in non-debug mode, you can’t set any breakpoint to enclave. You can find instruction how to load enclave in debug mode in the SGX SDK developer reference, I suppose you can find it in IDZ.

About your questions:

1.     Is it possible to get such a Intel-signed launch enclave that will allow me to test my enclave code in a non-debug enclave? It is ok if it just runs on my machine.

                     No. There is an enclave launch white-list file, signed by Intel. I don’t think we can add arbitrary entry there.

2.     Is there another way, like an existing server that is publicly available, to run my enclave code in non debug mode?

                     No

-Surenthar

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.