Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

sgx enclave without debug

itsNick
Beginner
1,428 Views

Hello community!

I have a laptop with i7 7700HQ cpu, that doesnt support FLC. I'm just studying how sgx works for educational purpose (I have to write the thesis about it) and I wanted to try some example code using all sgx capabilities, so without the debug option enabled. So I tried to launch the SealUnseal example in pre-release (I set to 1 the disable debug flag, passed 0 as second parameter of sgx_create_enclave and run the make file with those options: SGX_PRERELEASE=1 SGX_DEBUG=0 SGX_MODE=HW ), but when I launch the app it gives me the 0x4004 error code, does it mean that I have to get the enclave signed by intel as if it is in release mode ?. Is there any way to launch enclave not in debug mode without the needed to ask intel to sign my enclave?

0 Kudos
1 Solution
Sahira_Intel
Moderator
1,400 Views

Hi,

You cannot launch the enclave in non-debug mode (also called production mode) without Intel signing the enclave.

You were getting the 4004 error code because the enclave was not authorized to run. You cannot pass 0 as the second parameter of SGX_CREATE_ENCLAVE unless the enclave was signed by Intel.

 

To run in Pre-Release mode, you only need to run the makefile with the following options: SGX_PRERELEASE=1 SGX_DEBUG=0 SGX_MODE=HW. The DisableDebug flag in the enclave config file must remain 0 when running in Pre-release mode. Change the SGX_DEBUG_FLAG to 0 only when you are running your enclave in production mode, signed by Intel.

 

Read Intel SGX Build Configurations for more details.

 

In Summary, to run in PRE-RELEASE mode:

  1. Set DisableDebug 0 in enclave.config.xml
  2. Call sgx_create_enclave with SGX_DEBUG_FLAG as the second argument (do not set it to 0). The value of SGX_DEBUG_FLAG is determined by macros in the makefile set by the SGX_PRELEASE and SGX_DEBUG flags.
  3. make SGX_PRERELEASE=1 SGX_DEBUG=0

 

NOTE: In the enclave config file, DisableDebug must remain 0 for all non-Production modes. Set DisableDebug to 1 when the enclave is ready to be signed by Intel and run in Production mode.


I hope this information is helpful.


Sincerely,

Sahira


View solution in original post

0 Kudos
4 Replies
Sahira_Intel
Moderator
1,401 Views

Hi,

You cannot launch the enclave in non-debug mode (also called production mode) without Intel signing the enclave.

You were getting the 4004 error code because the enclave was not authorized to run. You cannot pass 0 as the second parameter of SGX_CREATE_ENCLAVE unless the enclave was signed by Intel.

 

To run in Pre-Release mode, you only need to run the makefile with the following options: SGX_PRERELEASE=1 SGX_DEBUG=0 SGX_MODE=HW. The DisableDebug flag in the enclave config file must remain 0 when running in Pre-release mode. Change the SGX_DEBUG_FLAG to 0 only when you are running your enclave in production mode, signed by Intel.

 

Read Intel SGX Build Configurations for more details.

 

In Summary, to run in PRE-RELEASE mode:

  1. Set DisableDebug 0 in enclave.config.xml
  2. Call sgx_create_enclave with SGX_DEBUG_FLAG as the second argument (do not set it to 0). The value of SGX_DEBUG_FLAG is determined by macros in the makefile set by the SGX_PRELEASE and SGX_DEBUG flags.
  3. make SGX_PRERELEASE=1 SGX_DEBUG=0

 

NOTE: In the enclave config file, DisableDebug must remain 0 for all non-Production modes. Set DisableDebug to 1 when the enclave is ready to be signed by Intel and run in Production mode.


I hope this information is helpful.


Sincerely,

Sahira


0 Kudos
Sahira_Intel
Moderator
1,382 Views

Hi,


Just following up to see if you resolved this issue?


Sincerely,

Sahira


0 Kudos
itsNick
Beginner
1,371 Views

Yes, it definetly solved my issue, thank you very much !

Just to know, how long does it takes to sign my enclave by intel?

 

0 Kudos
JesusG_Intel
Moderator
1,357 Views

Hello itsNick,


The Commercial Licensing FAQ, which we recommend reading entirely, states:


How long does it typically take Intel to review and disposition a commercial use license agreement request?

Intel treats requests for establishing a commercial use license agreement as a high priority and will work with you to establish an estimated timeframe for completion once we receive the details of your application. Please note that the actual time to disposition a request depends on the volume of requests being received, the accuracy of the information provided, and responsiveness to any follow-up / clarifications that may be needed.


Also, read Register Your Production Enclave.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Reply