Implementing and Using Custom Intel SGX Trusted Library

Intel SGX Trusted Library

Trusted libraries are libraries that are linked to a SGX program, and used inside an enclave. Hence, it should follow SGX enclave restrictions to be used.
According to Intel SGX SDK document, restrictions are as follow.


I’m currently using Intel SGX Eclipse plugin to develop SGX programs. This post is about implementing a third-party Intel SGX trusted library.

Installation guide of Intel SGX Eclipse plugin is in [here].

Implementing Intel SGX Trusted Library in Eclipse

1. Simple library template



In Eclipse, we can easily make a new SGX project. But different from making a normal SGX application, we select Static Library - Empty Project, instead of choosing an executable.

After making an empty project, there is nothing in it. Create a trusted SGX library template as follows.


The structure is simple: nothing in untrusted directory, a file for ecall in static_trusted directory.

When we build it, libtrusted.sgx.static.lib.a library file and trusted_u.c/h in untrusted directory are created.

2. Implementing a function callable inside an enclave

Just building a simple template is super easy. Then how we can add a trusted function into this trusted library?

Define and implement a function in a file with any name in static_trusted directory.


That’s it. As it is not an ECALL, we don’t need to add the function into EDL.

3. Linking a library to a SGX application

Now our new trusted function can be used within any enclave. Let’s link this library to an SGX application.
Making a sample SGX application is well explained in the Eclipse Help content (Help > Help Contents > Intel(R) SGX Eclipse Plug-in Developer Guide in Eclipse window).

From the basic understanding of using a library, what we need is:

Add this information into the makefile for an application enclave.


Call a trusted function inside an ecall function. A result is as follows.