Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

intel sgx secure channel

maxdd
Beginner
‎02-08-2022 12:30 PM
1,096 Views
Solved Jump to solution

I am wondering is there any example showing how to build up a secure channel and communicate between client and enclave?

 

I find "https://github.com/cloud-security-research/sgx-ra-tls", but it only provides example code to attest the server using openssl-client. I am wondering if there is a more detailed example or a simple API that I can use.

 

Thanks!

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎02-08-2022 02:04 PM
1,079 Views
Solved Jump to solution

Hello maxdd,


The answer remains the same. You should build a secure channel between the untrusted application on server S1 and the application on server S2. Since this secure communication is between two applications on two separate servers, this has nothing to do with SGX.


We do not provide examples of how to do this, but a TLS channel is one option. There are many APIs on secure communications between two applications. Just focus on the two regular applications and forget the enclave. The untrusted application is just like a regular application.


View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
JesusG_Intel
Moderator
‎02-08-2022 01:01 PM
1,088 Views
Solved Jump to solution

Hello maxdd,


Which client are you wondering about?


An enclave can only communicate with the untrusted application that it is compiled with, and this communication happens only inside the platform using SGX technology, ecalls and ocalls.


Enclaves cannot communicate directly with any other application outside of the untrusted application that calls it. All communication "with an enclave" is really happening between the outside entity and the untrusted application. Even other applications that run on the same system have to communicate with the untrusted application.


The secure channel, TLS, has to be established between the outside application and the untrusted application. See Figures 2 and 3 here: https://www.intel.com/content/www/us/en/developer/articles/code-sample/software-guard-extensions-remote-attestation-end-to-end-example.html


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
maxdd
Beginner
‎02-08-2022 01:54 PM
1,080 Views
Solved Jump to solution

I use the incorrect the word. I should say how to build up a secure channel between enclave on server S1 and another application running on server S2 based on remote attestation.

I have seen the link in your post and the github repo 'https://github.com/intel/sgx-ra-sample#build-linux'. I am wondering if there is any clean and simple API or example that I can use directly.

 

Thanks!

0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-08-2022 02:04 PM
1,080 Views
Solved Jump to solution

Hello maxdd,


The answer remains the same. You should build a secure channel between the untrusted application on server S1 and the application on server S2. Since this secure communication is between two applications on two separate servers, this has nothing to do with SGX.


We do not provide examples of how to do this, but a TLS channel is one option. There are many APIs on secure communications between two applications. Just focus on the two regular applications and forget the enclave. The untrusted application is just like a regular application.


0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-09-2022 06:54 PM
1,065 Views
Solved Jump to solution

Hello maxdd,


Did you see this discussion? https://github.com/redis/redis/pull/4855/ "SSL implementation on all channels"


0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-17-2022 06:14 PM
1,025 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.