2

Can we write code inside sgx enclave which executes Linux commands like below:

cryptsetup
ln

I want add some encryption code inside sgx enclave. How to do file IO inside enclave.

Rajendra
  • 373
  • 1
  • 2
  • 18

2 Answers2

2

Yes, but there might be a lot of migration effort involved.

Code executing inside of an enclave is not allowed to execute certain instructions. Most importantly the syscall instruction is not allowed meaning you are unable to use services of the OS directly. If you use Intel's SGX SDK to move the code of cryptsetup or ln into an enclave the program would terminate with SIGILL indicating an illegal instruction as soon as it would request an OS service like opening a file (assuming here it would compile).

To make the code work with Intel's SDK you could use so-called OCALLs to exit the enclave and request the OS service outside.

Some research works (Graphene, SCONE, Haven) listed on Intel's SGX website take away the migration burden with a generic system call forwarding mechanism. They catch the system calls inside of the enclave, transfer them to the outside and execute them.

fzgregor
  • 1,807
  • 14
  • 20
0

It is not allowed to run any Linux commands inside enclave. Even though we implement our own cryptsetup inside enclave, there are some OS calls from cryptsetup source, so it is of no use using sgx for this particular case.

Please find the complete answer to above question On intel SGX forum

Rajendra
  • 373
  • 1
  • 2
  • 18
  • Please include in your answer a summary of the contents of the link. This ensures that a) future readers know whether following the link is worthwhile and the information is likely to be applicable to their problem; and b) there is some value to the answer even if the external link becomes inaccessible, permanently or temporarily. – IMSoP Feb 07 '17 at 09:58