Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

can a sgx enclave be a standalone process

quizy_j_
Beginner
1,219 Views

Can a sgx enclave be a standalone process and directly communicate with another enclave of another process? As what I got from the SDK, it seems that there should be an untrusted code to act as the intermediary, as shown in the section of local attestation at 75 page of the Intel SGX SDK for windows.

0 Kudos
8 Replies
quizy_j_
Beginner
1,219 Views

Is it possible for an existing application to call functions of an enclave dynamically during its execution so as to avoiding modification to its source code?

0 Kudos
Surenthar_S_Intel
1,219 Views

Two enclaves can’t directly communicate with one another. Also note that an application can have more than one enclave. Those enclaves also cannot communicate directly with one another.

Could you please elaborate more about "Is it possible for an existing application to call functions of an enclave dynamically during its execution so as to avoiding modification to its source code?"

0 Kudos
quizy_j_
Beginner
1,219 Views

Surenthar S. (Intel) wrote:

Could you please elaborate more about "Is it possible for an existing application to call functions of an enclave dynamically during its execution so as to avoiding modification to its source code?"

As the enclave code are packaged as a DLL file, can we just load it dynamically into the application memory space? Now we have to create an enclave first and then call the function of the DLL file, which requires modification of the existing application source code. I think there might be some way to insert the enclave creation code in the air without recompiling the source code. As long as we keep the same function declarations as the original application, there is no need to modify all the source codes and recompiling, right?

0 Kudos
Surenthar_S_Intel
1,219 Views

As long as you keep the same function declarations (no change in EDL file) in enclave, you can build dll separately and use it on fly. This case, you don't want to rebuild/modify application source code.

0 Kudos
quizy_j_
Beginner
1,219 Views

Surenthar S. (Intel) wrote:

As long as you keep the same function declarations (no change in EDL file) in enclave, you can build dll separately and use it on fly. This case, you don't want to rebuild/modify application source code.

But we need to create an enclave first so as to call the functions of the dll, right? How this creation can be done without modifing the application source code?

0 Kudos
Surenthar_S_Intel
1,219 Views

You can create SGX Enclave as a standalone.

0 Kudos
Juan_d_Intel
Employee
1,219 Views

Note that even if the enclave functions that you declare in the EDL file have the same prototype declaration, the functions that the untrusted application calls have a different signature.

The return value of an enclave call (ECALL) is sgx_status_t and the ECALL takes 2 additional parameters: an sgx_enclave_id_t and a pointer to get the actual function return value.

0 Kudos
quizy_j_
Beginner
1,219 Views

Thanks for all the replies, I'm going to make a short conclusion based on the replies.

  • SGX enclave cannot directly communicate with the outside world of the application, it can only use the trusted libraries and communicate with untrusted part of the application through ECALL/OCALL.
  • SGX enclave cannot be a standalone process. The application which need to use the enclave must initialize the enclave and call the functions belonging to it afterwards, LoadLibrary won't work for enclave.dll.
0 Kudos
Reply