Intel® SGX: Debug, Production, Pre-release --What's the Difference?

Since releasing the Intel® Software Guard Extensions (Intel® SGX) SDK, we've had a few questions about debug vs pre-release vs release mode (production) enclaves.

Part of the security model of Intel® Software Guard Extensions is to prevent software from peaking inside and getting at secrets inside the enclave... but no-one writes perfect code the first time round; so how do you debug an enclave? 

Intel® SGX HW Debug Architecture

The Intel SGX architecture supports two modes for Enclaves a Debug mode and Production (non-debug) mode. Production Mode enclaves have the full protection provided by the architecture. In the HW architecture debug mode enclaves differ from production enclaves in 4 basic ways.

1. Debug Enclaves are created with the ATTRIBUTES.DEBUG bit set. This field appears in the output of the EREPORT instruction REPORT.ATTRIBUTES (see Enclave Data Structures chapter in the Intel x86 Software Developers Manual). The debug bit is not measured as part of the build process so Debug and Production enclaves can have the same measurement.
2. Keys returned by the EGETKEY instruction leaf in debug enclaves are different for the same enclave in production mode.
3. Debug enclaves can be introspected by an enclave aware debugger (using the Intel SGX debug instructions) – a normal debugger cannot introspect a debug enclave.
4. Performance counters are enabled inside debug enclaves. 

The Intel SGX SDK includes the Intel SGX debugger as a Microsoft Visual Studio* plugin. See the Enclave Debugger section of the Intel® Software Guard Extensions Evaluation SDK User’s Guide for additional details.

 Intel® SGX SDK Compilation Profiles

Traditionally a developer would have two basic profiles for compiling their code:

• Debug: compiler optimizations are disabled, debug symbols are kept, suitable for source level debugging (typical for any SW development, standard terminology of common IDEs), plus the enclave will be launched in enclave-debug mode.
   
• Release: compiler optimizations are enabled, no debug symbols are kept, suitable for production build, for performance testing and final product release (typical for any SW development, standard terminology of common IDEs), plus the enclave will be launched in enclave-production (non-debug) mode.

In addition we have added two more profiles to the support offered in the Intel SGX SDK:

• Pre-release: same as Release with regard to optimization and debug symbol support, but the enclave will be launched in enclave-debug mode, suitable for performance testing. 
   
• Simulation: builds the Intel SGX application linked with the "simulation" libraries, not a real enclave, this allows the enclave to be run on any non-Intel SGX-enabled Intel platform.

Currently the evaluation SDK allows the developer to create and run enclaves using the Debug and Pre-release profiles. Enclaves compiled under the Release profile will not work until the developer completes the production licensing process. If you would like to deliver a production-quality application using Intel SGX, please contact the Intel SGX Program for more information about a production license.