Implementing and Using Custom Intel SGX Trusted Library
Contents

Intel SGX Trusted Library

Trusted libraries are libraries that are linked to a SGX program, and used inside an enclave. Hence, it should follow SGX enclave restrictions to be used.
According to Intel SGX SDK document, restrictions are as follow.

sgx_trusted_library

I’m currently using Intel SGX Eclipse plugin to develop SGX programs. This post is about implementing a third-party Intel SGX trusted library.

Installation guide of Intel SGX Eclipse plugin is in [here].

Implementing Intel SGX Trusted Library in Eclipse

1. Simple library template

sgx_eclipse_trusted_new

sgx_eclipse_trusted_new2

In Eclipse, we can easily make a new SGX project. But different from making a normal SGX application, we select Static Library - Empty Project, instead of choosing an executable.

After making an empty project, there is nothing in it. Create a trusted SGX library template as follows.

sgx_eclipse_trusted_new3

The structure is simple: nothing in untrusted directory, a file for ecall in static_trusted directory.

When we build it, libtrusted.sgx.static.lib.a library file and trusted_u.c/h in untrusted directory are created.

2. Implementing a function callable inside an enclave

Just building a simple template is super easy. Then how we can add a trusted function into this trusted library?

Define and implement a function in a file with any name in static_trusted directory.

sgx_eclipse_trusted_new_function

That’s it. As it is not an ECALL, we don’t need to add the function into EDL.

3. Linking a library to a SGX application

Now our new trusted function can be used within any enclave. Let’s link this library to an SGX application.
Making a sample SGX application is well explained in the Eclipse Help content (Help > Help Contents > Intel(R) SGX Eclipse Plug-in Developer Guide in Eclipse window).

From the basic understanding of using a library, what we need is:

Add this information into the makefile for an application enclave.

sgx_eclipse_trusted_new_function3

Call a trusted function inside an ecall function. A result is as follows.

sgx_eclipse_trusted_new_function2