The Intel(R) Software Guard Extensions (Intel(R) SGX) Protected Code Loader (PCL) is intended to protect Intellectual Property (IP) within the code for Intel(R) SGX enclave applications running on the Linux* OS.
Problem: Intel(R) SGX provides integrity of code and confidentiality and integrity of data at run-time. However, it does NOT provide confidentiality of code offline as a binary file on disk. Adversaries can reverse engineer the binary enclave shared object.
Solution: The enclave shared object (.so) is encrypted at build time. It is decrypted at enclave load time.
Intel(R) Software Guard Extensions Protected Code Loader for Linux* OS (Intel(R) SGX PCL) provides:
- sgx_encrypt: A tool to encrypt the shared object at build time
- libsgx_pcl.a: A library that is statically linked to the enclave and enables the decryption of the enclave at load time
- Sample code which demonstrates how the tool and lib need to be integrated into an existing enclave project.
Relation to Intel(R) SGX SDK, Intel(R) SGX PSW and Intel(R) SGX Driver:
The Intel(R) SGX PCL project is an add-on to the linux-sgx-sdk project which hosts the Intel(R) SGX SDK and Intel(R) SGX PSW.
The linux-sgx-driver project hosts the out-of-tree driver for the Linux* Intel(R) SGX software stack, which will be used until the driver upstreaming process is complete.
See License.txt for details.
See CONTRIBUTING.md for details.
See more elaborate documentation at Intel(R) SGX Protected Code Loader for Linux User Guide.
Follow the instructions in the linux-sgx-sdk project to build and install the Intel(R) SGX PSW and Intel(R) SGX SDK, branches sgx_2.0 or sgx_2.1.
Note: Current Intel(R) SGX PCL supports branches sgx_2.0 or sgx_2.1 of the Intel(R) SGX PSW and Intel(R) SGX SDK.
Note: Non simulation build flavors require the platform to be Intel(R) SGX enabled (CPU and BIOS)
Follow the instructions in the linux-sgx-driver project to build and install the Intel(R) SGX driver.
Note: Installing the driver require the platform to be Intel(R) SGX enabled (CPU and BIOS)
Note: Enclave writer must verify that the Intel(R) SGX SDK SampleCode/SampleEnclave successfully builds and runs on the enclave writer's platform in both simulation mode and HW mode (if HW supports Intel(R) SGX) before the modifications required for Intel(R) SGX PCL are applied. This will decrease the number of failures wrongly associated with Intel(R) SGX PCL.
The build time encryption tool does not use the default OpenSSL version. It uses a newer version (1.1.0g), which must be downloaded and built.
Download OpenSSL1.1.0g from: https://www.openssl.org/source/
Build instructions: (https://wiki.openssl.org/index.php/Compilation_and_Installation)
$ ./config
$ make
Note: Intel® SGX PCL does not require installing OpenSSL 1.1.0g (which could possibly result in overriding the distro’s default). Intel® SGX PCL only uses the headers and generated shared objects.
Install git. git is used to apply a patch file to the Intel(R) SGX PSW and Intel(R) SGX SDK.
Apply the required modifications to Intel(R) SGX PSW and Intel(R) SGX SDK source files using the supplied git patch.
$ cd <linux-sgx>
where <linux-sgx> is the home directory of Intel(R) SGX PSW and Intel(R) SGX SDK.
$ git apply <path_to_pcl_dir>/Tools/sgx.psw.sdk.2.1.git.diff
where <path_to_pcl_dir> is path to Intel(R) SGX PCL base directory (either full or relative).
Note: A git patch file can only be applied on a specific branch. Enclave writer must verify the patch is applied on the correct branch. When using Intel(R) SGX PSW and Intel(R) SGX SDK branch sgx_2.0 use sgx.psw.sdk.2.0.git.diff. When using branch sgx_2.1 use sgx.psw.sdk.2.1.git.diff.
Follow instructions at linux-sgx to uninstall and clean, then build and install the Intel(R) SGX PSW and Intel(R) SGX SDK.
- Set the Linux Intel(R) SGX PSW and Intel(R) SGX SDK home directory:
$ export SGX_SDK_SRCS=< sgx_psw_sdk_sources_home_dir >
where < sgx_psw_sdk_sources_home_dir > is the base directory of the Intel(R) SGX PSW and Intel(R) SGX SDK sources (that is, where the source files for Intel(R) SGX PSW and Intel(R) SGX SDK are located)
- Set the OpenSSL 1.1.0g shared object directory:
$ export OPENSSL_ROOT=< openssl_crypto_libraries_dir >
where < openssl_crypto_libraries_dir > is full path to the directory where OpenSSL 1.1.0g libcrypto.so (or libcrypto.so.1.1 etc.) is located.
- Add to LD_LIBRARY_PATH the path to OpenSSL shared objects.
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$OPENSSL_ROOT
- When separately building the encryption tool, Intel(R) SGX PCL trusted runtime library or sample enclave, set the Intel(R) SGX PCL root folder.
$ export PCL_DIR=< path_to_pcl_dir >
where < path_to_pcl_dir > is the full path to the main directory of Intel(R) SGX PCL (folder which includes the subfolder Include, Common, Tools etc.).
The following steps describe how to build the Intel(R) SGX PCL build time encryption tool and static library. Enclave writer can build the project according to the enclave writer's requirements.
- To build both Intel(R) SGX PCL encryption tool (sgx_encrypt) and Intel(R) SGX PCL statically linked library with default configuration, enter the following command:
$ make
The tool is generated at bin/x64
directory.
The static library is generated at lib64
directory.
- To build Intel(R) SGX PCL with debug information, enter the following command:
$ make DEBUG=1
- To clean the files generated by previous
make
command, enter the following command:
$ make clean
Note: It is also possible to enter either the Sources
or Tools\Encryptip
folders and use the make
command to separately build the Intel(R) SGX PCL static library or build time encryption tool, respectively.
- To compile and run the sample
$ cd SampleCode/SampleEnclave
$ make
$ ./app
Note: See linux-sgx-sdk for instructions on building with debug information and / or building in simulation mode.
Note: Enclave writers are encoureged to compare the sample code to Intel(R) SGX SDK sample code as a demonstration of how the Intel(R) SGX PCL should be integrated into the enclave writer's project.