Community
cancel
Showing results for 
Search instead for 
Did you mean: 
OvalPiston
Beginner
517 Views

sgx_ecall works to store data in enclave, now how do I retrieve it?

I'm using the 'SGX First App', bundled with the SDK. It calls sgx_ecall to store data into the enclave. This is working for me.

Q: Now, how do I get the data out of the enclave?

 

0 Kudos
10 Replies
Hoang_N_Intel
Employee
517 Views

Getting the secret out of the enclave is very similar to printing the hash from the enclave in that example. You need to provide an OCALL to receive the secret from the application and an ECALL into the enclave to get the secret.

Here is an updated EDL file for that example:

enclave {
    trusted {
        public void store_secret([in, string] char *msg);
        public int print_hash([out] sgx_status_t *error);  
        public void get_secret();
    };
 
    untrusted {
        void o_print_hash([in] unsigned char hash[32]);    
        void ocall_print_secret([in, string] const char *str);
    };
};
Here is a simple implementation to illustrate that concept:
In the enclave:
char secret[MAX_MSG_LEN];
...
void get_secret()
{
   ocall_print_secret(secret);
}
and in the app:
void ocall_print_secret(const char *str)
{
   printf("%s", str);
}
Please note that this code is for demonstration purpose only.
 

 

 
 
 
OvalPiston
Beginner
517 Views

That doens't show the secret. It all compiles, but calling it doesn't show the secret.

 

The 'Enclave_u.c' file already has a function: sgx_status_t get_secret(sgx_enclave_id_t eid, char* out)

Since the above code won't work, could this be used?

Hoang_N_Intel
Employee
517 Views

I assume that get_secret that you have here is an ECALL. You will need to provide the OCALL to return the secret back.

Is it possible that you can zip and post your complete project here?

Thanks,

Hoang

OvalPiston
Beginner
517 Views

I took the code is from the SGX First App sample code, then added only your comments above. See attached ZIP file containing two .cpp files and .edl file. 

Hoang_N_Intel
Employee
517 Views

There is an error in the main app. The ECALL is used to call into the Enclave and the OCALL is used to call from the Enclave back to the app. You just need to simply replace the OCALL in your main app ( ocall_print_secret(out); ) by the ECALL function of get_secret( eid ) ;

The code fragment in your main should be like this:

 ...

if (status != SGX_SUCCESS) {fprintf(stderr, "ECALL: store_secret: 0x%08x\n", status);Exit(1);}

get_secret(eid);

status = print_hash(eid, &rv, &enclave_error);

Please give it a try and let us know.

Thanks,

Hoang

OvalPiston
Beginner
517 Views

Ok, I understand ecalls and ocalls, and get_secret(eid) as above ran successfully, but still doesn't return value stored in secret[MAX_MSG_LEN] in the enclave.cpp.

I'm confused. How do we get chars to return to the calling function in SGX First App? Or any string back to the calling app, for that matter, from the enclave code?

And does 'Enclave_u.c' get built each time a recompile is done? Do we need to modify that file too?

Hoang_N_Intel
Employee
517 Views

First of all, I ran the example with the code that you provided and it displays the secret string of "password"

Here is the output that I see:

password
SHA-256 hash of your secret (including the newline) is:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Verify this hash by entering your secret in an online SHA256
calculator such as:

  http://passwordsgenerator.net/sha256-hash-generator/
  http://www.xorbin.com/tools/sha256-hash-calculator

(Don't forget to include the trailing newline!)
Press ENTER to exit...

Please update your OCALL to this and let me know whether you can see it or not

void ocall_print_secret(const char *str)
{
   printf("DEBUG: %s", str);
}

Here are the answers to your questions:

How do we get chars to return to the calling function in SGX First App? Or any string back to the calling app, for that matter, from the enclave code?

These are just standard C parameters that you can have as many as you need in your function.

And does 'Enclave_u.c' get built each time a recompile is done? Do we need to modify that file too?

Anything that is under "Generated files" folder in Visual Studio is automatically regenerated
and you should not modify them.
For example, Enclave_u.h and Enclave_u.cpp in the untrusted app
and Enclave_t.h and Enclave_t.cpp in the trusted Enclave should not be modified.

 

 

 

 

OvalPiston
Beginner
517 Views

Attached is the output. There is no showing of the secret string "password".

You must have different source than I have.

Hoang_N_Intel
Employee
517 Views

Can you zip and upload the entire solution? I'd like to run it as is and look at your project settings as well. Thanks.

Hoang_N_Intel
Employee
517 Views

This issue has been resolved. The untrusted app just needs to make the ECALL as I indicated in previous posting.

Reply