Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

how to convert a existing dll into enclave?

quizy_j_
Beginner
2,087 Views

 is it possible to directly convert a existing dll into enclave? what steps should we take?

normal dll files provide a dllmain(...) function as the entry and export table, but I can't find any export function table of enclave dll files using dependency walker, except enclave_entry and g_peak_heap_used, even though I've defined interfaces in EDL file

Assume all the instructions of an existing dll project are supported by enclaves, can we just add an EDL file to define the export function inside it?

0 Kudos
1 Solution
Surenthar_S_Intel
2,087 Views

We cannot convert existing dll into SGX Enclave. SGX Dll needs to build on top of SGX SDK.

View solution in original post

0 Kudos
15 Replies
Surenthar_S_Intel
2,088 Views

We cannot convert existing dll into SGX Enclave. SGX Dll needs to build on top of SGX SDK.

0 Kudos
quizy_j_
Beginner
2,087 Views

Can we just define the Dllmain() function in the EDL file and change the included header files to standard trusted c library offered by the SDK?

For a dllmain() function like below:

 BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)

We can define the interface in EDL file as:

enclave {
    trusted {
        public BOOL DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved) 
    };
};

Can the untrusted process load the dll via LoadLibrary so as to automatically execute the codes in Dllmain()? Or should we still need to create an enclave first so as to call the Dllmain() function in it?

0 Kudos
Francisco_C_Intel
2,087 Views

>Can the untrusted process load the dll via LoadLibrary...

sgx_create_enclave has more input and output params when compared to LoadLibrary(Ex). There is more 'stuff' that happens and so you cannot load an enclave DLL using LoadLibrary(Ex). It may work (I am not sure, haven't tried it), but if it does you would have a 'normal' DLL, not an enclave.

 

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi Surenthar,

We are able to run our first "hello world" program using SGX.

Can we demonstrate to ensure how our trusted piece of code is getting protected?

Is there any way to display that the memory area is protected by the SGX Enclave?

 

Thanks & Regards,

Debakanta

 

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi Surenthar,

Can we use SGX in Linux OS as well.

If so, then please let us know the compatible OS and other supporting software.

 

Thanks & Regards,

Debakanta

0 Kudos
Surenthar_S_Intel
2,087 Views

Hi Debakanta,

Yes we can use SGX in Linux OS as well.

Required Hardware: 6th Generation Core™ processor (or later) based platform with SGX Enabled BIOS support

Supported OS: Ubuntu* Desktop-14.04-LTS 64-bit version

Supported Languages: C and C++

The Intel(R) SGX SDK for Linux* OS Open Source project is now live and can be found here:  https://01.org/intel-software-guard-extensions/

The code is hosted here:  https://github.com/01org/linux-sgx (link is external) and https://github.com/01org/linux-sgx-driver (link is external)

- Surenthar Selvaraj

0 Kudos
Surenthar_S_Intel
2,087 Views

Debakanta S. wrote:

Hi Surenthar,

We are able to run our first "hello world" program using SGX.

Can we demonstrate to ensure how our trusted piece of code is getting protected?

Is there any way to display that the memory area is protected by the SGX Enclave?

 

Thanks & Regards,

Debakanta

 

When running with SGX, all of the enclave code is paged into a region of memory not visible to OS. This is the EPC memory allocation reserved in the BIOS. Generate a complete memory dump of the system with the enclave loaded. Provision a well-known-string in there at run time and then try to find it in the memory dump

-Surenthar

 

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi Srenthar,

We want to protect some image file using SGX.

Tried following FILE pointer and fstream but all seems to be failing.

stdio.h needs to be customized it seems.

Is it possible to use file descriptor for any kind of file operation and carrying the files from one system to another via SGX?

We need to carry some 3D files from one security system to 3D printer and we want to protect from intruders.

Please let me know your suggestion.

 

 

Thanks & Regards,

Debakanta

0 Kudos
Juan_d_Intel
Employee
2,087 Views

I can only provide you some pointers...

For file i/O operations, you need to define file I/O APIs as OCALLs in the EDL file and include additional declarations in a header file, which can be included in the EDL file.

If you are planning to carry files from one machine to another, you cannot use the sealing API that the SGX provides. Instead, enclaves running on both machines need to agreed on a shared key or have a key provisioned by a 3rd party.

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi,

Is it possible to transfer files to an oCall function and call an oCall function in an eCall function?

All I need to do is to pull a file from web service to an oCall function and call the oCall function inside the eCall function.

Please let me know your suggestion and opinion.

 

Thanks & Regards,

Debakanta

0 Kudos
Surenthar_S_Intel
2,087 Views

Hi Debakanta,

By definition, an OCALL is made from within an ECALL.

 

You enter the enclave with an ECALL. Once in the enclave, if you need to do something like I/O, you then use an OCALL to temporarily exit the enclave to call a function in untrusted space. When that function returns, you are back in the enclave.

 

A function that you run via an OCALL can even make another ECALL to enter the enclave at a different function (though in the EDL file, you can limit which ECALLs you are allowed to make from within the context of an OCALL).

 

-Surenthar

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi,

Can we call Web Services from SGX?

What could be the process to do it?

 

 

Thanks & Regards,

Debakanta

0 Kudos
Surenthar_S_Intel
2,087 Views

Hi Debakanta,

Implementing the whole web services infrastructure inside an enclave environment can be done but is not recommended due to large memory footprint. Developers should only be implementing the code and data that needs to be kept confidential, inside the enclave. For example, If you look in the remote attestation sample provided in IDZ portal, the client application implements the REST SDK in the untrusted part of the application and the payload to be communicated is generated inside the enclave

-Surenthar

0 Kudos
Debakanta_S_
Beginner
2,087 Views

Hi,

We should not use system("Command") inside the enclave.

Can we use wget,CuraEngine or " powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://myUrl', 'C:\path\to\test.json')}" " like commands directly inside the enclave.

Usually we keep eclaveWrapper  files in enclave_definition folder. Can we run the above commands in eclaveWrapper files which is different than the enclave_application folder. if we follow this process can we make sure about the safety of the files.

 

Thanks & Regards,

Debakanta

0 Kudos
Surenthar_S_Intel
2,087 Views

Hi,

As a general statement, IO is not supported inside an enclave - you have to make OCALLs.

If your enclave makes an OCALL to the untrusted part of your application, and in the untrusted part of your application you decide to make any of the IO calls you mentioned, then this "will work" from a "is this possible" perspective.

As you mentioned, it would be up to you to verify that whatever data you obtained (via wget, powershell, etc) is data that you trust and want to pass back to the enclave. Furthermore, an attacker may view or modify the data sometime between the time you received it and the time you sent it to the enclave. You would have to protect against that as well.

-Surenthar

0 Kudos
Reply