This super duper minimal Intel SGX example is based on the sample code from the Intel SGX for Linux Repository [1].
Do not expect the code in this repository to be secure, it's just experimental!
- The application initializes an enclave.
- The application performs an enclave call to securely compute the first ten fibonacci numbers inside the enclave.
- The application destroys the enclave.
- The application prints the computed fibonacci numbers to the standard output.
Yeah, it's completely pointless :D
To be able to make with mitigations there exit two requirements:
- gcc >= 7.3
- Lates GNU Binutils (tip of the master branch in the official GNU Binutils source repo). Alternatively you can donwload a subset of the Binutil and move them to
/usr/local/bin.
This section is from the Intel SGX for Linux Repository [1].
Install Intel(R) SGX SDK for Linux* OS
Make sure your environment is set:
$ source ${sgx-sdk-install-path}/environmentBuild the project with the prepared Makefile:
Hardware Mode, Debug build:
Enclave with no mitigation:
$ makeEnclave with mitigations for indirects and returns only:
$ make MITIGATION-CVE-2020-0551=CFEnclave with full mitigation:
$ make MITIGATION-CVE-2020-0551=LOAD
Hardware Mode, Pre-release build:
Enclave with no mitigation:
$ make SGX_PRERELEASE=1 SGX_DEBUG=0Enclave with mitigations for indirects and returns only:
$ make SGX_PRERELEASE=1 SGX_DEBUG=0 MITIGATION-CVE-2020-0551=CFEnclave with full mitigation:
$ make SGX_PRERELEASE=1 SGX_DEBUG=0 MITIGATION-CVE-2020-0551=LOAD
Hardware Mode, Release build:
Enclave with no mitigation:
$ make SGX_DEBUG=0Enclave with mitigations for indirects and returns only:
$ make SGX_DEBUG=0 MITIGATION-CVE-2020-0551=CFEnclave with full mitigation:
$ make SGX_DEBUG=0 MITIGATION-CVE-2020-0551=LOAD
Simulation Mode, Debug build:
$ make SGX_MODE=SIMSimulation Mode, Pre-release build:
$ make SGX_MODE=SIM SGX_PRERELEASE=1 SGX_DEBUG=0Simulation Mode, Release build:
$ make SGX_MODE=SIM SGX_DEBUG=0
Execute the binary directly:
$ ./secure_fibonacciRemember to "make clean" before switching build mode
See also the Intel SGX SDK for Linux Developer Reference [2].
openssl genrsa -out private_key.pem -3 3072
This section is from the Intel SGX for Linux Repository [1].
TCSMaxNum, TCSNum, TCSMinPool
These three parameters will determine whether a thread will be created dynamically when there is no available thread to do the work.
StackMaxSize, StackMinSize
For a dynamically created thread, StackMinSize is the amount of stack available once the thread is created and StackMaxSize is the total amount of stack that thread can use. The gap between StackMinSize and StackMaxSize is the stack dynamically expanded as necessary at runtime.
For a static thread, only StackMaxSize is relevant which specifies the total amount of stack available to the thread.
HeapMaxSize, HeapInitSize, HeapMinSize
HeapMinSize is the amount of heap available once the enclave is initialized.
HeapMaxSize is the total amount of heap an enclave can use. The gap between HeapMinSize and HeapMaxSize is the heap dynamically expanded as necessary at runtime.
HeapInitSize is here for compatibility.
| [1] | (1, 2, 3) https://github.com/intel/linux-sgx |
| [2] | https://01.org/intel-softwareguard-extensions |
All Intel code is licensed under BSD (find the license here).