There are usually two types of builds that a regular non-SGX project defines:
SGX-enabled projects add to this picture support to build and test SGX-enabled application on non-SGX platforms (or emulator) using simulation libraries. This approach doubles the set of build types, creating four possible combinations. For these combinations, you need to use different sets of compilation and linking flags and link different libraries.
The non-debug hardware build is meant to give production code, so it requires the maximum attention when signed. The Two Steps Sign schema is required for production enclaves, which involves an external signing facility, not part of Intel SGX SDK. The other configurations are not meant for production but they have to be signed too. The simplest and more convenient Single Step schema is used for them.
Again for testing purpose, you might want to experiment with a non-production enclave built with release compilation and linking flags, on a real hardware SGX-enabled platform. That would be an enclave built exactly as a production enclave, except for the sign process which would be Single Step. To support the construction of such enclave, there is a hardware non-debug build configuration dubbed Prerelease.
So there are five SGX related configurations when SGX Nature is added to a project:
Intel(R) SGX Configurations
The following table resumes the existing SGX configurations and relate them with compilation/linking flags (debug/non-debug) and signing scheme (single vs. two steps):
Intel(R) SGX Configurations
Configuration Name | Simulation? | Debug? | Signing Schema |
---|---|---|---|
SGX Hardware Debug | Hardware | Debug | Single Step |
SGX Hardware Pre-release | Hardware | Non-debug | Single Step |
SGX Hardware Release | Hardware | Non-debug | Two Step |
SGX Simulation | Simulation | Non-debug | Single Step |
SGX Simulation | Debug Simulation | Debug | Single step |
Intel® Software Guard Extensions Eclipse Plug-in uses standard GNU* make tool to build the trusted and the untrusted code, using the generated file sgx/Makefile
.
This fact does not impose any restriction on the build tool chosen for the hosting project. Intel® Software Guard Extensions Eclipse* Plug-in uses its own build configurations which do not interfere with the configurations that you might have in your project.
When SGX configurations are selected, by default only code under <root>/sgx
directory get built.
You can customize SGX configurations as any other Eclipse build configurations from the project properties dialog. For example:
Then you can customize and integrate SGX build process. You can use Makefile instead of sgx/Makefile
in the example shown in the following figure:
Customization of SGX Build Command
The build process is done using standard Eclipse interface for build, by example from the main Project menu:
Project Menu