Files
This branch is 28 commits behind sslab-gatech/opensgx:master.
user
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
OPENSGX USER-LEVEL DESIGN
# Start-up process
a. Init : Reserve memory for EPC pages
QEMU init
Stack init
b. Create Launch Enclave : syscall_create_enclave()
0. Enclave measurements
- Perform the same steps as step 1 - 3.
- Compute the measurements (enclave identiy).
- Clear the allocated epc pages.
1. ECREATE (in alloc_secs)
- allocate secs
- set secs (base addr, enclave size)
Note: base addr is equal to the secs addr by design.
- set secinfo
- set pageinfo
- call ECREATE
2. Add TCS Page
- set up tcs.
- Use EADD to add the page.
3. Add REG Pages
- Add REG pages with entry point provided.
- Use EADD to add pages.
4. Add stack frames
- Add stack frames (REG pages)
- Use EADD to add pages. (allocate epc pages)
c. Current settings
- Total epc size:
- Default enclave size:
- Total stack size:
- Stack per thread size:
d. ECP Memory layout
- Consider the case of adding one enclave.
=========================================
EPC Addr Begin
=========================================
Launch Enclave SECS Page(s)
TCS Page(s)
REG Page(s)
Stack Frames
=========================================
Enclave 1 SECS Page(s)
TCS Page(s)
REG Page(s)
Stack Frames
=========================================
Free EPC Pages
=========================================
EPC Addr End
=========================================
e. Enclave design
- Enclave size: secs->size
- Baseaddr: secs->baseaddr
- Measurement: secs->mrEnclave
- Signature: secs->mrSigner
- Control entry point: tcs->oentry (relative to baseaddr)
- SSA Offet: tcs->ossa (relative to baseaddr)
- FS section: tcs->ofsbasgx ~ tcs->obsbasgx + tcs->fslimit (relative to baseaddr)
- GS section: tcs->ogsbasgx ~ tcs->ogsbasgx + tcs->gslimit (relative to baseaddr)
f. Security features
- Enclave signature: sigstruct.signature == secs.mrsigner
- Signature generated from sigstruct
- Signed field: HEADER, VENDOR, DATE, HEADER2, SWDEFINFO,
RESERVED, MISCSELECT*, MISCMASK*, RESERVED2,
ATTRIBUTE, ATTRIBUTEMASK, ENCLAVEHASH, RESERVED3,
ISVPROID, ISVSVN
- Enclave measurement: sigstruct.enclavehash == secs.mrenclave
- Before execute EINIT, EEXTEND is used to measure enclave and update the
sec.mrenclave vaule.
g. Customized ssl library
- Based on openssl
- Changing standard library calls into sgx ABI calls to put and run them inside the enclave
- Library repackaging
$ cd user/openssl
$ ./config no-comp no-asm no-shared no-hw no-engines no-threads no-dso
$ make
- After get libcrypto.a (customized openssl for sgx), compile and use ssl library functions
(See tp/README or tor/README)
h. local attestation
- Based on polarssl (modified polarssl, user/polarssl_sgx)
- Changing standard library calls into sgx ABI calls to put and run them inside the enclave
- For execution, see test/simple-challenger, test/simple-quotingEnclave, and test/simple-targetEnclave.