SGX Developer Reference for Linux

# 1. Introduction

## SGX Technology Overview
 - SGX has a hard limit on the protected memory size,typically 64M or 128M. the number of activeted enclaves is limited
 
## SGX Security Properties
 - SGX aim to protect against software attacks
    - the enclave memory cannot be read or written from outside the enclave
    - An enclave can be created with a debug attribute that allows a special debugger to view its content like a standard debugger
 - SGX aim to protect against known hardware attacks
    - the enclave memory is encrypted using industry-standard encryption algorithms with replay protection(enclave的内存用工业级的加密算法加密，可以重放保护)
    - Tapping the memory or connecting the DRAM modules to another system will only give access to encrypted data
    - the memory encryption key changes every power cycle randomly,stored within CPU and it is not accessible
 
## Application Design Considerations
An SGX application design is different from non-SGX application,as it requires dividing the application into two logical components:
 
- Trusted componet(enclave)
- Untrusted component(include all its modules)
 
## Setting up an SGX Project

### Creating SGX Projects
follow the directory structure and Makefiles from one of the sample application in the SGX SDK.
you should prepare the following files:

1. Enclave Definition Language(EDL) file
 2. Enclave Configuration File(ECF)-contains the information of the enclave metadata.
 3. Signing key files--used to sign an enclave to produce a signature structure that contains enclave properties such as enclave measurement.
 4. Application and enclave source code--the implementation of application and enclave functions
 5. makefile--it performs the following steps:
    ```
    1.Generates edger routines
    2.Builds the application and enclave
    3.Signs the enclave
    ```

6. Linker script file -- you should use the linker script to hide all unnecessary symbols,and only export enclave_entry,g_global_data,and g_global_data_sim
 
> Enclave.config.xml

```
<EnclaveConfiguration>
  <ProdID>0</ProdID>
  <ISVSVN>0</ISVSVN>
  <StackMaxSize>0x40000</StackMaxSize>
  <HeapMaxSize>0x100000</HeapMaxSize>
  <TCSNum>10</TCSNum>
  <TCSPolicy>1</TCSPolicy>
  <DisableDebug>0</DisableDebug>
  <MiscSelect>0</MiscSelect>
  <MiscMask>0xFFFFFFFF</MiscMask>
</EnclaveConfiguration>
```

> Enclave.edl
```
/* Enclave.edl - Top EDL file. */

enclave {
    
    include "user_types.h" /* buffer_t */

/* Import ECALL/OCALL from sub-directory EDLs.
     *  [from]: specifies the location of EDL file. 
     *  [import]: specifies the functions to import, 
     *  [*]: implies to import all functions.
     */
    
    from "Edger8rSyntax/Types.edl" import *;
    from "Edger8rSyntax/Pointers.edl" import *;
    from "Edger8rSyntax/Arrays.edl" import *;
    from "Edger8rSyntax/Functions.edl" import *;

from "TrustedLibrary/Libc.edl" import *;
    from "TrustedLibrary/Libcxx.edl" import ecall_exception, ecall_map;
    from "TrustedLibrary/Thread.edl" import *;

/* 
     * ocall_print_string - invokes OCALL to display string buffer inside the enclave.
     *  [in]: copy the string buffer to App outside.
     *  [string]: specifies 'str' is a NULL terminated buffer.
     */
    untrusted {
        void ocall_print_string([in, string] const char *str);
    };

};
```
> Enclave.lds

```
enclave.so
{
    global:
        g_global_data_sim;
        enclave_entry;
    local:
        *;
};

```
> Enclave_private.pem(加密key？)

信息安全从业人员^_^

导航

最近发表

友情链接