Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1484 Discussions

Ecall invocation from a remote enclave fails

Daniel_ˢᵍˣ
New Contributor I
‎08-10-2022 11:00 AM
1,554 Views
Solved Jump to solution

Hello,

 

I have a lib project that generates an enclave.signed.so and an app project that loads that .so using sgx_create_enclave_from_buffer_ex. The enclave is loaded successfully. However, when I attempt to invoke ecalls this fails.

 

I created a hello world to demo the problem: https://github.com/andrade/create-from-buffer-hello

 

I imagined sgx_create_enclave_from_buffer_ex would work similarly to dlopen and allow this scenario. Am I doing something wrong? Is this not possible with SGX?

 

 

* Right now this is all done locally but the endgame is having a server that can load client enclaves on request and invoke a well-defined API which all clients implement (clients may have other ecalls/ocalls which the server does not care about and ignores).

Labels (1)
Labels:
0 Kudos
1 Solution
Daniel_ˢᵍˣ
New Contributor I
‎09-01-2022 02:28 PM
1,403 Views
Solved Jump to solution

Finally got it working.

Library generates enclave.signed.so and untrusted.so. Then application creates enclave from enclave.signed.so and loads untrusted.so using dlopen.

I wasn't generating untrusted code and passing it to the app which was causing the problem. I usually don't do this when I have no ocalls but in this case it won't work without it.

I've also updated the repository with the example I posted above, in case someone else needs it, since there is no other code using sgx_create_enclave_from_buffer_ex at the moment as far as I could find.

View solution in original post

0 Kudos
Copy link

Link Copied

5 Replies
Sahira_Intel
Moderator
‎08-15-2022 04:17 PM
1,509 Views
Solved Jump to solution

Hi,

This is probably because the empty trusted enclave function gets compiled out. It should work if you put something in the enclave (it can be something simple like returning a value).


https://github.com/andrade/create-from-buffer-hello/blob/a5beed8111c5e5ec030d1f830635e80f83834a93/lib/enclave.c#L9



Sincerely,

Sahira




















0 Kudos
Copy link
Daniel_ˢᵍˣ
New Contributor I
‎08-16-2022 08:16 AM
1,502 Views
Solved Jump to solution
In response to Sahira_Intel

Hello. Thank you for your reply.

 

I've tried with a non-empty ecall but it still fails with the same error.

 

https://github.com/andrade/create-from-buffer-hello/blob/fa2279b65cf0c3b9c329450c613847a47238fcc3/lib/enclave.c#L14

In response to Sahira_Intel
0 Kudos
Copy link
Sahira_Intel
Moderator
‎08-23-2022 11:46 AM
1,465 Views
Solved Jump to solution

Hi,

Can you send the errors you are getting? 

Sincerely,

Sahira

0 Kudos
Copy link
Daniel_ˢᵍˣ
New Contributor I
‎08-25-2022 06:15 AM
1,438 Views
Solved Jump to solution
In response to Sahira_Intel

Hello,

 

Library

The library that generates the enclave.signed.so has an ecall public int ecall_two(int n).

 

Application

When I invoke the application I get the error:

$ ./app_ex
./app_ex: symbol lookup error: ./app_ex: undefined symbol: ecall_two

But this happens when using -rdynamic in the makefile (I don't need it, was just trying to find a way to solve the problem).

Without -rdynamic the error is:

$ ./app_ex
Loads remote enclave using sgx_create_enclave_from_buffer_ex
sgx_create_enclave: success
Segmentation fault (core dumped)

 

In response to Sahira_Intel
0 Kudos
Copy link
Daniel_ˢᵍˣ
New Contributor I
‎09-01-2022 02:28 PM
1,404 Views
Solved Jump to solution

Finally got it working.

Library generates enclave.signed.so and untrusted.so. Then application creates enclave from enclave.signed.so and loads untrusted.so using dlopen.

I wasn't generating untrusted code and passing it to the app which was causing the problem. I usually don't do this when I have no ocalls but in this case it won't work without it.

I've also updated the repository with the example I posted above, in case someone else needs it, since there is no other code using sgx_create_enclave_from_buffer_ex at the moment as far as I could find.

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.