123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557 |
- <?xml version='1.0' encoding='utf-8'?>
- <!--
- Copyright (c) 2018 Intel Corporation.
- All rights reserved. This program and the accompanying materials
- are made available under the terms of the Eclipse Public License v1.0
- which accompanies this distribution, and is available at
- http://www.eclipse.org/legal/epl-v10.html
- Contributors:
- Intel Corporation - initial implementation and documentation
- -->
- <html xmlns:MadCap='http://www.madcapsoftware.com/Schemas/MadCap.xsd' MadCap:lastBlockDepth='4' MadCap:lastHeight='1043' MadCap:lastWidth='652'>
- <head>
- <link href='Resources/Stylesheets/intel_css_styles.css' rel='stylesheet' type='text/css' />
- </head>
- <body>
- <div id='SGX_title'>
- <h1 class="firsttitle">Intel(R) Software Guard Extensions Plug-in for Eclipse*</h1>
- <h2>Developer Guide</h2>
- <p>Intel(R) Software Guard Extensions (Intel(R) SGX) is an Intel technology for application developers seeking to protect select code and data from disclosure or
- modification. Intel(R) SGX makes such protections possible through the use of
- enclaves. Enclaves are protected areas of execution. Application code can be put
- into an enclave through special instructions and software made available to
- developers by the Intel(R) SGX SDK.</p>
- <p><a href="#Legal_Information">Legal Information</a>
- </p>
- </div>
- <div id='Legal_Information'>
- <h1>Legal Information</h1>
- <p>No license (express or implied, by estoppel or otherwise) to any intellectual
- property rights is granted by this document.</p>
- <p>Intel disclaims all express and implied warranties, including without
- limitation, the implied warranties of merchantability, fitness for a particular
- purpose, and non-infringement, as well as any warranty arising from course
- of performance, course of dealing, or usage in trade.</p>
- <p>This document contains information on products, services and/or processes
- in development.  All information provided here is subject to change
- without notice. Contact your Intel representative to obtain the latest
- forecast, schedule, specifications and roadmaps.</p>
- <p>The products and services described may contain defects or errors known
- as errata which may cause deviations from published specifications. Current
- characterized errata are available on request.</p>
- <p>Intel technologies features and benefits depend on system configuration
- and may require enabled hardware, software or service activation. Learn
- more at Intel.com, or from the OEM or retailer.</p>
- <p>Copies of documents which have an order number and are referenced in
- this document may be obtained by calling 1-800-548-4725 or by visiting
- <a href="http://www.intel.com/design/literature.htm">www.intel.com/design/literature.htm</a>.</p>
- <p>Intel, the Intel logo, Xeon, and Xeon Phi are trademarks of Intel Corporation
- in the U.S. and/or other countries. </p>
- <table style="border-left-style: solid;border-left-width: 1px;border-right-style: solid;border-right-width: 1px;border-top-style: solid;border-top-width: 1px;border-bottom-style: solid;border-bottom-width: 1px;">
- <col />
- <tr>
- <th>
- <p>Optimization Notice</p>
- </th>
- </tr>
- <tr bgcolor="#CCECFF">
- <td>
- <p>Intel's compilers may or may not optimize to the same degree
- for non-Intel microprocessors for optimizations that are not unique
- to Intel microprocessors. These optimizations include SSE2, SSE3,
- and SSSE3 instruction sets and other optimizations. Intel does
- not guarantee the availability, functionality, or effectiveness
- of any optimization on microprocessors not manufactured by Intel.
- Microprocessor-dependent optimizations in this product are intended
- for use with Intel microprocessors. Certain optimizations not
- specific to Intel microarchitecture are reserved for Intel microprocessors.
- Please refer to the applicable product User and Reference Guides
- for more information regarding the specific instruction sets covered
- by this notice.</p>
- <p style="text-align: right;">Notice revision #20110804</p>
- </td>
- </tr>
- </table>
- <p>* Other names and brands may be claimed as the property of others.</p>
- <p>© 2018 Intel Corporation.</p>
- </div>
- <div id='Introduction'>
- <h1>Introduction</h1>
- <p>This <i>Developer Guide</i> is intended for use by Independent Service Vendors who wish to harden their Linux* applications using Intel(R) SGX Technology, code named Intel(R) Software Guard Extensions. The guide describes the procedure for installation of Intel(R) SGX Plugin for Eclipse* IDE and development of Intel(R) SGX components using the plugin. The Intel(R) SGX Plugin for Eclipse leverages on the Intel(R) Software Guard Extensions SDK, which is a collection of APIs, libraries and tools that enable you to develop, build and debug Intel(R) SGX applications in C/C++.</p>
- <p>To learn more about the Intel(R) Software Guard Extensions SDK, see the <i>Intel(R) Software Guard Extensions SDK for Linux* OS Developer Reference</i>.</p> </div>
- <div id='Introducing_Intel_Software_Guard _Extensions_Eclipse_Plugin'>
- <h2>Introducing Intel(R) Software Guard Extensions</h2>
- <p>Intel(R) Software Guard Extensions is a new Intel technology, whose objective is to enable a high level of protection of secrets. It operates by allocating hardware-protected memory where code and data reside. The protected memory area within an application process is called an enclave. Data within the enclave memory can only be accessed by code that resides within that enclave. Enclave code can be invoked by special instructions.</p>
- <p>An enclave can be built and loaded as a shared object.</p>
- <p>Throughout this document, Intel(R) SGX refers to Intel(R) Software Guard Extensions.</p>
- <p>An Intel(R) SGX application design is different from the design of non- Intel(R) SGX application as it specifies dividing the application into two logical parts:</p>
- <ul>
- <li><i>Trusted</i> part. The code that accesses the secret resides here and it is called an enclave. More than one enclave can exist in an application.</li>
- <li><i>Untrusted</i> part. This includes the rest of the modules in the application, that is outside in an enclave.</li>
- </ul>
- <p>The trusted components and untrusted components are developed as separate modules.</p>
- <p>The trusted part or the enclave is implemented in C or C++. It is supplied as a collection of functions and data packaged in the form of a dynamically loaded library, a DLL in Windows* OS and a shared object in Linux* OS. It may be supplied either as a pre-built signed library or as a signed shared library built during compilation of the untrusted component.</p>
- <p>Enclave functions within an enclave library are wrapped by auto-generated proxy and bridge functions that simplify the mechanism of using the Intel(R) SGX technology by developers.</p>
- <p>The role of these functions is to handle the following tasks:</p>
- <ul>
- <li>Call an enclave function from untrusted code, also called an ECALL (enclave call).</li>
- <li>Call an untrusted function from within an enclave, also called an OCALL (outside call).</li>
- <li>Handle interrupts.</li>
- <li>Handle exceptions.</li>
- </ul>
- <p>The proxy and bridge functions are generated by the <code>sgx_edger8r</code> tool provided by Intel(R) SGX SDK. It reads an <i>edl</i> file (Enclave Descriptor Language) which describes the functions that form the <i>trusted</i> and <i>untrusted</i> component boundaries within the application.</p>
- <p>After the enclave is built, a signed version of it is created using the tool <code>sgx_sign</code> also provided by Intel(R) SGX SDK. It is this signed version may be loaded and executed in the encrypted memory.</p>
- <p>Enclaves may have some specific properties which are added as meta-information during the signing process. The meta-information is stored in one configuration xml file per enclave. See more details about meta-information in <i>Intel(R) Software Guard Extensions SDK for Linux* OS Developer Reference</i>.</p>
- </div>
- <div id='Introducing_Intel_Software_Guard_Extensions'>
- <h2>Introducing Intel(R) Software Guard Extensions Eclipse* Plug-in</h2>
- <p>The Intel(R) Software Guard Extensions Eclipse* Plug-in helps the enclave developer to maintain enclaves and untrusted related code inside Eclipse* C/C++ projects. To use this support, add Intel(R) SGX nature to the C/C++ project. See <a href="#Adding_SGX_Nature_to_a_Project">Adding Intel(R) SGX Nature to a Project</a> for details.</p>
- <p>Once the Intel(R) SGX nature is added to a project, you will have access to the Intel(R) SGX commands. Intel(R) SGX nature adds also a folder called <code>sgx</code> to the root of the project, and a Makefile inside it. All resources of the project managed by Intel(R) Software Guard Extensions Eclipse Plug-in are located inside this directory. You can build and run enclaves related code using GNU* Make tool through the Makefile.</p>
- <p>The plugin is generating minimal but ready-to-work code skeletons, complete with their own Makefile having all the required make targets as to call <code>sgx_edger8r</code> tool to generate the proxies and bridges, compile these source, generate a shared object and finally, to sign the enclave with the <code>sgx_sign</code> tool. This provide a starting point you may build upon.</p>
- </div>
- <div id='Getting_Started'>
- <h1>Getting Started with Intel(R) Software Guard Extensions Eclipse* Plug-in</h1>
- <p>This section contains steps to set up your Intel(R) Software Guard Extensions Eclipse* Plug-in on a Linux* system, including necessary softwares, steps to install the product, and steps to configure your preferred product directory.</p>
- <p>• Pre-requisites</p>
- <p>• Installing Intel(R) Software Guard Extensions Eclipse* Plug-in</p>
- <p>• Configuring Intel(R) Software Guard Extensions Eclipse* Plug-in</p> </div>
- <div id='Prerequisites'>
- <h2>Pre-requisites</h2>
- <p>To use Intel(R) Software Guard Extensions Eclipse Plug-in, install the following softwares:</p>
- <ul>
- <li>Eclipse* Oxygen 3 with CDT IDE for C/C++ Developers (version 4.7.3). To use this version, install Java* Development Kit (JDK) or Java* Runtime Environment (JRE) version 1.8 or above.</li>
- <li>gcc/g++ tools</li>
- <li>Openssl*</li>
- <li>Intel(R) SGX SDK for Linux* OS</li>
- </ul>
- </div>
- <div id='Installing_Intel_Software_Guard_Extensions_Eclipse_Plugin'>
- <h2>Installing Intel(R) Software Guard Extensions Eclipse* Plug-in</h2>
- <p>Install Intel(R) Software Guard Extensions Eclipse* Plug-in as a regular Eclipse Plugin:</p>
- <ol>
- <li>Download the zip archive of Intel(R) Software Guard Extensions Eclipse Plug-in from Intel Site</li>
- <li>
- <p>Go to <b>Help menu -> Install New Software</b>. Click the <b>Add</b> button for the <b>Work with</b> field to open the <b>Add Repository</b> dialog as shown in the following graphic:</p>
- <p>
- <img src="Resources/Images/Add_Repository_Dialog.png" />
- </p>
- <p class="figcap">Add Repository Dialog</p>
- </li>
- <li>
- <p>Enter <code>Intel(R) SGX Archive</code> in the <b>Name</b> field . Click the <b>Archive...</b> button and select the location of the downloaded archive as shown in the following graphic:</p>
- <p>
- <img src="Resources/Images/The_Location_of_the_Plugin_zip_Archive.png" />
- </p>
- <p class="figcap">The Location of the Plugin zip Archive</p>
- </li>
- <li>Press <b>OK</b> to add the archive as a repository.</li>
- <li>In the <b>Install</b> dialog, select the <b>Intel(R) Software Guard Extensions Plugin</b> check-box and proceed with the usual steps.</li>
- </ol>
- </div>
- <div id='Configuring_Intel_Software_Guard_Extensions_Eclipse_Plug-in'>
- <h2>Configuring Intel(R) Software Guard Extensions Eclipse* Plug-in</h2>
- <p>If you do not install Intel(R) SGX SDK for Linux* OS in the default location, you need to specify the path for Intel(R) SGX SDK using the following steps:</p>
- <ol>
- <li>
- <p>Go to <b>Window menu ->Preferences</b>. Enter Intel(R) SGX in the filter text field to quickly locate the <b>Intel(R) SGX Preferences</b> page.</p>
- <p>
- <img src="Resources/Images/SGX_Preference_Page.png" />
- </p>
- <p class="figcap">Intel(R) SGX Preference Page</p>
- </li>
- <li>Enter the path for Intel(R) SGX SDK for Linux OS in the <b>Intel(R) SGX SDK Directory</b> field.</li>
- </ol>
- </div>
- <div id='Command_Reference'>
- <h1>Command Reference</h1>
- <p>This topic provides the command reference for the following scenarios of using Intel(R) Software Guard Extensions Eclipse* Plug-in:</p>
- <ul>
- <li>Adding Intel(R) SGX nature to a project</li>
- <li>Adding an Intel(R) SGX enclave</li>
- <li>Adding an Intel(R) SGX trusted library</li>
- <li>Adding an Intel(R) SGX untrusted module</li>
- <li>Updating Intel(R) SGX enclave signing key</li>
- <li>Updating enclave configuration files</li>
- <li>Two steps sign enclave</li>
- </ul>
- <p>All commands brought by Intel(R) Software Guard Extensions Eclipse Plug-in are available by right-clicking on the Project root in Project explorer view in menu <b>Intel(R) Software Guard Extensions Tools</b>:</p> <p><img src="Resources/Images/Project_Explorer.png" /></p><p class="figcap">Project Explorer</p> </div>
- <div id='Adding_SGX_Nature_to_a_Project'>
- <h2>Adding Intel(R) SGX Nature to a Project</h2>
- <p>The <i>nature</i> of an Eclipse project is a concept defined by an Eclipse Platform which allows a plug-in to tag a project as a specific kind of project. Intel(R) Software Guard Extensions uses an <i>Intel(R) SGX nature</i> to add Intel(R) SGX-specific behavior to projects. Project natures are defined by plug-ins, and are typically added or removed per-project when the user performs some action defined by the plug-in.</p>
- <p>To use Intel(R) Software Guard Extensions Eclipse Plug-in in your project, you need to add Intel(R) SGX nature to it. You may either add Intel(R) SGX nature to a pre-existing C/C++ project or create a project with Intel(R) SGX nature from start. See <a href="#Adding_SGX_Nature_to_a_non_SGX_project">Adding Intel(R) SGX Nature to a non-SGX project</a> and <a href="#Creating_a_New_C_C_Project_with_SGX_Nature">Creating a New C/C++ Project with Intel(R) SGX Nature</a> for how to complete these tasks.</p>
- </div>
- <div id='Adding_SGX_Nature_to_a_non_SGX_project'>
- <h3>Adding Intel(R) SGX Nature to a non-SGX project</h3>
- <p>When you have a C/C++ project created without Intel(R) SGX, you cannot use Intel(R) SGX support. In this case, you need to add Intel(R) SGX nature to this project to use Intel(R) SGX support:</p>
- <ol>
- <li>Right-click on the project root</li>
- <li>
- <p>Select <b>Intel(R) Software Guard Extensions Tools → Add Intel(R) SGX Nature</b></p>
- <p>
- <img src="Resources/Images/Add_SGX_Nature.png" />
- </p>
- <p class="figcap">Add Intel(R) SGX Nature</p>
- </li>
- </ol>
- <p>After you add the Intel(R) SGX nature to your project, you should see:</p>
- <ul>
- <li>
- <p>A subdirectory <code>sgx</code> in the project which contains a Makefile file.</p>
- <p>
- <img src="Resources/Images/Makefile_for_Intel_SGX.png" />
- </p>
- <p class="figcap">Makefile for Intel(R) SGX</p>
- </li>
- <li>
- <p>The Intel(R) SGX tools as shown in the following graphic:</p>
- <p>
- <img src="Resources/Images/Intel_SGX_Tools.png" />
- </p>
- <p class="figcap">Intel(R) SGX Tools</p>
- </li>
- <li>
- <p>New configurations specific to Intel(R) SGX technology. You may see the configurations for the project by clicking to the down arrow of button <img src="Resources/Images/Down_Arrow_Button.png" /> usually found at the top of the Eclipse window:</p>
- <p>
- <img src="Resources/Images/Configurations_Specific_to_Intel_SGX_Technology.png" />
- </p>
- <p class="figcap">Configurations Specific to Intel(R) SGX Technology</p>
- </li>
- </ul>
- </div>
- <div id='Creating_a_New_C_C_Project_with_SGX_Nature'>
- <h3>Creating a New C/C++ Project with Intel(R) SGX Nature</h3>
- <p>You can create a new project with Intel(R) SGX nature. To create such a project, follow these steps:</p>
- <ol>
- <li>
- <p>Open a standard Eclipse new project: <b>File menu → Project...</b> . If you have installed Intel(R) Software Guard Extensions Eclipse Plug-in, you can see the category C/C++ with Intel(R) SGX Enabled in the <b>New Project</b> dialog.</p>
- <p>
- <img src="Resources/Images/New_Project.png" />
- </p>
- <p class="figcap">New Project</p>
- <p>This category has 2 sub-categories, <b>C project</b> and <b>C++ project</b>. These sub-categories are similar to the sub-categories C Project and C++ Project of standard C/C++ category.</p>
- </li>
- <li>Select one of the 2 sub-categories, C project or C++ project, and click <b>Next</b>.</li>
- <li>Complete creating the project using the regular process of creating a standard C or C++ project.</li>
- </ol>
- <div class="NoteCont">
- <p class="NoteTipHead">NOTE:</p>
- <p>Projects created following the subcategories under <b>C/C++ with Intel(R) SGX Enabled</b> are identical with their standard counterparts, except that they have Intel(R) SGX Nature added. There is no difference between creating a C or C++ project with Intel(R) SGX enabled, or creating a standard C/C++ project and launch <b>Add Intel(R) SGX nature</b> from it, as described in precedent paragraph.</p>
- </div>
- </div>
- <div id='Adding_an_SGX_Enclave'>
- <h2>Adding an Intel(R) SGX Enclave</h2>
- <p>After you add the Intel(R) SGX nature to a project, you can start creating a minimal but complete skeleton for a new enclave:</p>
- <ol>
- <li>Right-click on the project root in <b>Project Explorer</b>.</li>
- <li>
- <p>Open the dialog <b>Add New Intel(R) SGX Enclave</b> by selecting <b>Intel(R) Software Guard Extensions Tools → Add Intel(R) SGX Enclave</b> from the contextual menu.</p>
- <p>
- <img src="Resources/Images/Add_New_Intel_SGX_Enclave_Dialog.png" />
- </p>
- <p class="figcap">Add New Intel(R) SGX Enclave Dialog</p>
- </li>
- <li>
- <p>Choose a name for the enclave in <b>Enclave name</b> field. This name is used in the process of generation of the skeleton to give unicity to the source files and the name of the resulting executable, so you can add more than one enclave to the same project.</p>
- <ul>
- <li>
- <p>If you do not select the <b>Generate sample untrusted application</b> checkbox, the plugin generates only a trusted file and a Makefile fragment to build and compile the trusted part. See the following graphic. All the code for the enclave, including build Makefile, is put in a directory <code><root>/sgx/enclave_<name></code> . C/C++ code for the enclave proper are in <code><root>/sgx/enclave_<name>/trusted</code>.</p>
- <p>
- <img src="Resources/Images/Generated_Skeleton_for_an_Enclave.png" />
- </p>
- <p class="figcap">Generated Skeleton for an Enclave. The option to Generate Sample was not Used</p>
- </li>
- <li>
- <p>If you select <b>Generate sample untrusted application</b> checkbox, a simple ready to work sample application is generated, including untrusted stubs and implementation for a sample OCALL and ECALL.</p>
- <p>
- <img src="Resources/Images/Generated_Sample_Untrusted_Application.png" />
- </p>
- <p class="figcap">Generated Sample Untrusted Application</p>
- </li>
- </ul>
- </li>
- </ol>
- <div class="NoteCont">
- <p class="NoteTipHead">NOTE:</p>
- <p>If you select the <b>Generate sample untrusted application</b> checkbox, ecalls from the untrusted part are not be resolved by Eclipse C/C++ indexer. These functions are marked with a red line. The declaration of these ecalls resides in the unstrusted stub header which is generated during the build process and is not indexed by Eclipse. To resolve this problem, right-click on project root and select <b>Index → Freshen All Files</b>.</p>
- </div>
- </div>
- <div id='Adding_an_SGX_Trusted_Library'>
- <h2>Adding an Intel(R) SGX Trusted Library</h2>
- <p>Trusted Static Libraries helps enclave author have libraries of shared code to be reused by enclaves, in exactly the same manner as usual static <code>libxxx.a</code> libraries are used to share code between regular non-SGX applications. The plugin adds a command to generate the skeleton of a trusted shared library.</p>
- <p>To add a new Intel(R) SGX Trusted Library:</p>
- <ol>
- <li>
- <p>Open <b>Add New Intel(R) SGX Static Trusted Library</b> dialog by right-click on the root of the project and select the appropriate command from <b>Intel(R) Software Guard Extensions Tools</b> menu:</p>
- <p>
- <img src="Resources/Images/Add_New_SGX_Static_Trusted_Library_Dialog.png" />
- </p>
- <p class="figcap">Add New Intel(R) SGX Static Trusted Library Dialog</p>
- </li>
- <li>
- <p>Choose a name for the library and click <b>OK</b>. A skeleton for a trusted library is generated in directory <code><root>/sgx/trustedlib_<name></code>:</p>
- <p>
- <img src="Resources/Images/A_Generated_Trusted_Library.png" />
- </p>
- <p class="figcap">A Generated Trusted Library</p>
- </li>
- </ol>
- </div>
- <div id='Adding_an_SGX_Untrusted_Module'>
- <h2>Adding an Intel(R) SGX Untrusted Module</h2>
- <p>Add an untrusted module to generate the untrusted stubs so you use an enclave, provided you have access to its <code>.edl</code> file. The enclave might have been built in the current project or in a different project.</p>
- <p>To use trusted functionality of an enclave for which its <code>*.edl</code> is known, use the command <b>Add Intel(R) SGX Untrusted Module</b>:</p>
- <ol>
- <li>
- <p>Open dialog <b>Add Intel(R) SGX Untrusted Module</b> by right-click-ing the project root in <b>Package Explorer</b> and chose the command from <b>Intel(R) Software Guard Extensions Tools</b>.</p>
- <p>
- <img src="Resources/Images/Add_SGX_Untrusted_Module.png" />
- </p>
- <p class="figcap">Add Intel(R) SGX Untrusted Module</p>
- </li>
- <li>
- <p>Use the <b>Browse</b> button to navigate the file system using a file dialog, and click <b>OK</b>. The untrusted module is copied to <code><root>/sgx/untrusted_<edl file name></code>. The selected <code>*.edl</code> is copied to the project.</p>
- <p>
- <img src="Resources/Images/Copying_the_Untrusted_Module_to_a_Project.png" />
- </p>
- <p class="figcap">Copying the Untrusted Module to a Project</p>
- </li>
- </ol>
- </div>
- <div id='Updating_SGX_Enclave_Signing_Key'>
- <h2>Updating Intel(R) SGX Enclave Signing Key</h2>
- <p>All skeletons enclave samples produced by the plugin contain a sample signing key. You might want to import another sign key that you already have, or generate a new one. Use the command <b>Update Intel(R) SGX Enclave Signing Key</b> to complete this task.</p>
- <ol>
- <li>Choose <b>Update Intel(R) SGX Enclave Signing Key</b> by right-click on the project in <b>Project Explorer -> Intel(R) Software Guard Extensions Tools</b> menu. The <b>Import or (Re)Generate Enclave Signing Key</b> dialog appears.</li>
- <li>In the <b>Import or (Re)Generate Enclave Signing Key</b> dialog, click <b>Select</b> to open a file dialog to select the output key.</li>
- <li>
- <p>Click <b>Import Key</b> to update a selected signing key by copying another existing key or click <b>Generate Key</b> to update the selected signing key by generating a new key. In both cases, the new signature key is put into the file in text field <b>Enclave Signing Key</b>.</p>
- <p>
- <img src="Resources/Images/Import_or_Re_Generate_Enclave_Signing_Key.png" />
- </p>
- <p class="figcap">Import or (Re)Generate Enclave Signing Key</p>
- </li>
- <li>Click <b>OK</b> to update the enclave signing key.</li>
- </ol>
- <p>Under the hood, a new key is generated using openssl*, which needs to be installed on the machine:</p>
- <p><code>openssl genrsa -out ../../../encl1_private.pem.key.pem -3 3072</code>
- </p>
- <p><![CDATA[ ]]></p>
- </div>
- <div id='Updating_Enclave_Configuration_Files'>
- <h2>Updating Enclave Configuration Files</h2>
- <p>A configuration file is an important part in the definition of an enclave. Intel(R) SGX SDK signer tool requires such *.xml configuration file as necessary input.</p>
- <p>To update this configuration file, use the <b>Update Config</b> command:</p>
- <ol>
- <li>
- <p>Right-click on the root project, <b>Intel(R) Software Guard Extensions Tools->Select Config File</b>.</p>
- <p>
- <img src="Resources/Images/Select_Configuration_File.png" />
- </p>
- <p class="figcap">Select Configuration File</p>
- </li>
- <li>
- <p>Click <b>OK</b> or double-click the selected configuration file to open the <b>Enclave Configuration Settings</b> dialog.</p>
- <p>
- <img src="Resources/Images/Enclave_Configuration_Settings.png" />
- </p>
- <p class="figcap">Enclave Configuration Settings</p>
- <p>For details on the meaning of the fields, see <i>Intel(R) Software Guard Extensions Developer Guide</i>.</p>
- </li>
- </ol>
- </div>
- <div id='Two_Steps_Sign_Enclave'>
- <h2>Two Steps Sign Enclave</h2>
- <p>To help you develop enclaves, Intel(R) Software Guard Extensions Eclipse Plug-in generates all required structure including:</p>
- <ul>
- <li>c/c++ files and header files</li>
- <li><code>.edl</code> file</li>
- <li><code>*.config.xml</code> file</li>
- <li>a sample Makefile</li>
- <li>a sample signing key</li>
- </ul>
- <p>While these structure might be appropriate for development and debugging, you need a 2-step process to integrate your own signing schema for generating production enclaves.</p>
- <ol>
- <li>Generate hash: the signer tool generates signing material from the unsigned compiled enclave and from the configuration file for the enclave. The signed material comes as an opaque sequence of bytes which are put in a file with extension <code>.hex</code>. This file is used with the external signing facility. You come back with a signature for the <code>.hex</code> file plus the public key of your signing facility, and proceed to Step 2.</li>
- <li>Generate signed enclaves : the signer tool generates the final signed enclave.</li>
- </ol>
- <p>To complete this task, provide the following input parameters:</p>
- <ul>
- <li>The unsigned enclave</li>
- <li>The configuration file</li>
- <li>The output file produced when you generate hash (the <code>.hex</code> file)</li>
- <li>The files produced by the external signing facility: the signature of the .hex file and public key for it</li>
- <li>The plugin checks if the input parameters are consistent:</li>
- <li>The <code>.hex</code> file matches the unsigned enclave and the configuration file,</li>
- <li>The signed material is verified with the public key</li>
- </ul>
- <p>If the parameters are consistent, the production signed enclave is produced.</p>
- <div class="NoteCont">
- <p class="NoteTipHead">NOTE:</p>
- <p>If you generate signed enclave right after generating hash, you can only enter the parameters specific for generating signed enclave.</p>
- </div>
- <p>To use the two-step signing function, activate the configuration <b>Intel(R) SGX Hardware Release mode</b>. When this configuration is active, the compilation does not produce a signed enclave, as in the other Intel(R) SGX configurations; the process only produces unsigned enclaves.</p>
- <p>
- <img src="Resources/Images/Configure_SGX_Hardware_Release_Mode.png" />
- </p>
- <p class="figcap">Configure Intel(R) SGX Hardware Release Mode</p>
- <p>When you configure the plugin in the <b>Intel(R) SGX Hardware Release Mode</b>, you can see the <b>Generate Hash</b> and <b>Generate Signed Enclave</b> options through <b>Intel(R) Software Guard Extensions Tools->Two Step Sign Enclave</b>.</p>
- <p>
- <img src="Resources/Images/Two_Step_Sign_Enclave_Menu.png" />
- </p>
- <p class="figcap">Two Step Sign Enclave Menu</p>
- </div>
- <div id='Generate_Hash'>
- <h3>Generate Hash</h3>
- <p>Generating hash is the first step in the 2-Steps signing process.To generate hash, use the following steps:</p>
- <ol>
- <li>
- <p>Right-click on project root, go to <b>Intel(R) Software Guard Extensions Tools menu → Two Step Enclave Sign → Generate Hash</b></p>
- <p>
- <img src="Resources/Images/Two_StepSigne_Enclave_Generate_Hash.png" />
- </p>
- <p class="figcap">Two Step Enclave Sign - Generate Hash</p>
- </li>
- <li> In the <b>Generate Hash</b> dialog, enter the required inputs to the corresponding fields:<ul><li>Enter the path to the compiled enclave to be signed in the <b>Enclave Path</b> field. Click <b>Select Enclave</b> to open a file dialog to select the enclave.</li><li>In the <b>Hash File Location</b> field , enter the path of the output file that will contain signing materials. By default this file has the same file name as the unsigned enclave, with <code>.hex</code> extension added. To change the path, click <b>Select File Path</b> to open a file dialog to select the file path.</li><li>In the <b>Configuration File</b> path field, enter the path of the configuration file for the generated hash. Click <b>Select Config</b> to open a dialog to select from all enclave configuration files in the project (similar with the one of the command <b>Update Config</b>).</li></ul></li>
- <li>
- <p>Click <b>OK</b> after you fill in all the fields. The Intel(R) SGX SDK is launched under the hood with the provided parameters and the hash file is generated. A dialog box appears to confirm the completion:</p>
- <p>
- <img src="Resources/Images/Generating_Hash_Completion_Dialog.png" />
- </p>
- <p class="figcap">Generating Hash Completion Dialog</p>
- </li>
- </ol>
- <p>You complete the first step, generating hash, in the two step signing enclave. The <code>*.hex</code> file may be signed with the external facility, which generates a signature for it and a public verification key.</p>
- <p>If you click <b>OK</b>, the <b>Generate Signed Enclave</b> dialog appears. The required fields in this dialog have been pre-configured with the paths of the unsigned enclave, the configuration file and of the <code>*.hex</code> file. To generated the final signed enclave ready for production immediately, click <b>OK</b>.</p>
- <p>
- <img src="Resources/Images/Generate_Signed_Enclave_Dialog_with_Pre_configurations.png" />
- </p>
- <p class="figcap">Generate Signed Enclave Dialog with Pre-configurations</p>
- <p>If you click <b>Cancel</b> in the <b>Generate Signed Enclave</b> dialog, you can continue the signing process later using the <b>Generate Signed Enclave</b> command.</p>
- </div>
- <div id='Generate_Signed_Enclaves'>
- <h3>Generate Signed Enclaves</h3>
- <p>Generating signed enclave is the second step in the 2-Steps signing process. You should have the following files to complete this step:</p>
- <ul>
- <li>The <code>.hex</code> file generated with <b>Generate Hash</b> command</li>
- <li>The files produced from the external signing facility</li>
- <li>The signature of the <code>.hex</code> file</li>
- <li>The public verification key</li>
- </ul>
- <p>To generate signed enclaves, use the following steps:</p>
- <ol>
- <li>
- <p>Right-click on the project root, and go to <b>Intel(R) Software Guard Extensions Tools menu → Two Step Sign Enclave → Generate Signed Enclave</b>.</p>
- <p>
- <img src="Resources/Images/Generate_Signed_Enclave_Dialog.png" />
- </p>
- <p>Generate Signed Enclave Dialog</p>
- </li>
- <li>Enter the inputs to all the fields and click <b>OK</b>.</li>
- </ol>
- </div>
- <div id='Building_and_Running_SGX_Code'>
- <h1>Building and Running Intel(R) SGX Code</h1>
- <p>This section describes the following topics about building and running Intel(R) SGX code:</p>
- <ul>
- <li>Intel(R) SGX build configurations</li>
- <li>Running samples generated for enclaves</li>
- </ul> </div>
- <div id='SGX_Build_Configurations'>
- <h2>Intel(R) SGX Build Configurations</h2>
- <p>There are usually two types of builds that a regular non-SGX project defines:</p>
- <ul>
- <li>Debug</li>
- <li>Release</li>
- </ul>
- <p>Intel(R) SGX-enabled projects add to this picture support to build and test Intel(R) SGX-enabled application on non-SGX platforms (or emulator) using simulation libraries. This approach doubles the set of build types, creating four possible combinations. For these combinations, you need to use different sets of compilation and linking flags and link different libraries.</p>
- <p>The non-debug hardware build is meant to give production code, so it requires the maximum attention when signed. The Two Steps Sign schema is required for production enclaves, which involves an external signing facility, not part of Intel(R) SGX SDK. The other configurations are not meant for production but they have to be signed too. The simplest and more convenient Single Step schema is used for them.</p>
- <p>Again for testing purpose, you might want to experiment with a non-production enclave built with release compilation and linking flags, on a real hardware Intel(R) SGX-enabled platform. That would be an enclave built exactly as a production enclave, except for the sign process which would be Single Step. To support the construction of such enclave, there is a hardware non-debug build configuration dubbed <i>Prerelease</i>.</p>
- <p>So there are five Intel(R) SGX related configurations when Intel(R) SGX Nature is added to a project:</p>
- <p>
- <img src="Resources/Images/Intel_SGX_Configurations.png" />
- </p>
- <p>Intel(R) SGX Configurations</p>
- <p>The following table resumes the existing Intel(R) SGX configurations and relate them with compilation/linking flags (debug/non-debug) and signing scheme (single vs. two steps):</p>
- <p class="tablecap">Intel(R) SGX Configurations</p>
- <table style="width: 100%;border-left-style: solid;border-left-width: 1px;border-right-style: solid;border-right-width: 1px;border-top-style: solid;border-top-width: 1px;border-bottom-style: solid;border-bottom-width: 1px;">
- <col />
- <col />
- <col />
- <col />
- <tbody>
- <tr>
- <th>Configuration Name</th>
- <th>Simulation?</th>
- <th>Debug?</th>
- <th>Signing Schema</th>
- </tr>
- <tr>
- <td>Intel(R) SGX Hardware Debug</td>
- <td>Hardware</td>
- <td>Debug</td>
- <td>Single Step</td>
- </tr>
- <tr>
- <td>Intel(R) SGX Hardware Pre-release</td>
- <td>Hardware</td>
- <td>Non-debug</td>
- <td>Single Step</td>
- </tr>
- <tr>
- <td>Intel(R) SGX Hardware Release</td>
- <td>Hardware</td>
- <td>Non-debug</td>
- <td>Two Step</td>
- </tr>
- <tr>
- <td>Intel(R) SGX Simulation</td>
- <td>Simulation</td>
- <td>Non-debug</td>
- <td>Single Step</td>
- </tr>
- <tr>
- <td>Intel(R) SGX Simulation</td>
- <td>Debug Simulation</td>
- <td>Debug</td>
- <td>Single step</td>
- </tr>
- </tbody>
- </table>
- <p>Intel(R) Software Guard Extensions Eclipse Plug-in uses standard GNU* make tool to build the trusted and the untrusted code, using the generated file <code>sgx/Makefile</code>.</p>
- <p>This fact does not impose any restriction on the build tool chosen for the hosting project. Intel(R) Software Guard Extensions Eclipse* Plug-in uses its own build configurations which do not interfere with the configurations that you might have in your project.</p>
- <p>When Intel(R) SGX configurations are selected, by default only code under <code><root>/sgx</code> directory get built.</p>
- <p>You can customize Intel(R) SGX configurations as any other Eclipse build configurations from the project properties dialog. For example:</p>
- <ol>
- <li>Right-click in Project Explorer Properties → C/C++ Build</li>
- <li>Uncheck the Use default build command checkbox.</li>
- </ol>
- <p>Then you can customize and integrate Intel(R) SGX build process. You can use Makefile instead of <code>sgx/Makefile</code> in the example shown in the following figure:</p>
- <p>
- <img src="Resources/Images/Customization_of_SGX_build_command.png" />
- </p>
- <p class="figcap">Customization of Intel(R) SGX Build Command </p>
- <p>The build process is done using standard Eclipse interface for build, by example from the main <b>Project</b> menu: </p>
- <p>
- <img src="Resources/Images/Project_Menu.png" />
- </p>
- <p class="figcap">Project Menu </p>
- </div>
- <div id='Running_Samples_Generated_for_Enclaves'>
- <h2>Running Samples Generated for Enclaves</h2>
- <p>Intel(R) Software Guard Extensions Eclipse* Plugin provides an option to generate a sample application together with the enclave code when the enclave is created. After the project is build, the sample application is built also and ready to run. You can see the sample application named sample in the enclave directory in Project Explorer. You can run this sample as a local C/C++ application as shown in the following figure:</p>
- <p>
- <img src="Resources/Images/Sample_Application.png" />
- </p>
- <p class="figcap">Sample Application</p>
- <p>See the result of the execution in Eclipse console window as shown below:</p>
- <p>
- <img src="Resources/Images/The_Result_of_Running_Samples_Generated_for_Enclaves.png" />
- </p>
- <p class="figcap">The Result of Running Samples Generated for Enclaves</p>
- </div>
- </body>
- </html>
|