Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1459 Discussions

Getting quote inside enclave

AlvaroL
Beginner
‎01-10-2024 05:33 AM
717 Views

Hi,

I am trying to generate an ECDSA quote inside an enclave to attest it, but when using the library indicated in the SGX Developer Reference for Linux the generated enclave (enclave.so) becomes invalid.

I have been reading the document and it says: "An enclave shared object must not depend on any dynamically linked library in any way. The enclave loader has been intentionally designed to prohibit dynamic linking of libraries within an enclave."

If the document claims the function to be called is sgx_get_quote_ex, which is in sgx_quote_ex_sim (to use simulation), and prohibits using dynamic libraries within the enclave, how can the quote be generated? Wouldn't using the library required to generate a quote outside the enclave defeat the whole purpose of SGX?

 

In case it changes anything, I am using the following:

  • Linux
  • SGX 2.22
  • Running in simulation mode
Labels (2)
Labels:
0 Kudos

Link Copied

2 Replies
Wojciech_M_Intel
Moderator
‎02-09-2024 06:17 AM
515 Views

Hi,
simulation mode was created to help develop applications, you can even use it even on non SGX processors. All of the functions that would use SGX will return fake generated values. You are not inside SGX enclave when using simulation mode.
Architecture requires that all the functionality inside an enclave is statically linked in at build-time. Hardware and debug mode libraries are different than simulation mode libraries.

Regards,
Wojtek

0 Kudos
Copy link
AlvaroL
Beginner
‎02-11-2024 11:48 PM
484 Views
In response to Wojciech_M_Intel

I know the developer reference document explicitly says that dynamic libraries cannot be used inside the enclave, even then, that same document says that sgx_get_quote requires libsgx_epid.so, whereas sgx_get_quote_ex requires libsgx_quote_ex.so.

I do not know if I am not understanding it correctly, but as both of them are dynamic libraries, they cannot be loaded into the enclave, so the functions would be called from within the untrusted part of the application?

 

As for the other part, regarding the simulation mode and libraries, when I tried to generate a quote, I did get that there was attestation key, however it seemed the sgx_att_key_id_ext_t returned by  sgx_select_att_key_id was, as you said, a fake one. Would it still be possible to generate a quote, even a fake one, or would using the fake key result in an error in one of the functions required before generating the quote?

 

Thank you and best wishes,

AlvaroL

In response to Wojciech_M_Intel
0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.