• 04/09/2016
  • Public Content

Introduction

The Intel(R) Software Guard Extensions Developer Guide provides guidance on how to develop robust application enclaves based on Intel Software Guard Extensions technology. This guide does not provide an introduction to the Intel Software Guard Extensions technology and it is not a secure coding guideline. This guide assumes that after assessing the benefits, costs and restrictions of developing with Intel Software Guard Extensions, you have decided to use the Intel Software Guard Extensions technology and now want to learn how to properly use it to develop sound application enclaves. With your knowledge of the Intel Software Guard Extensions technology (see Intel Software Guard Extensions Programming Reference) and experience on secure coding principles and practices, this guide will help you to develop your own application enclaves.
This document provides examples of many programming constructs and principles based on a hypothetical generic run-time system. The elements of this run-time system include the following:
  • Untrusted Run-Time System (uRTS)
    – code that executes outside of the Intel(R) SGX enclave environment and performs functions such as:
    • Loading and managing an enclave.
    • Making calls to an enclave and receiving calls from within an enclave.
  • Trusted Run-Time System (tRTS)
    – code that executes within an Intel(R) SGX enclave environment and performs functions such as:
    • Receiving calls into the enclave and making calls outside of an enclave.
    • Managing the enclave itself.
    • Standard C/C++ libraries and run-time environment.
  • Edge Routines
    – functions that may run outside the enclave (untrusted edge routines) or inside the enclave (trusted edge routines) and serve to bind a call from the application with a function inside the enclave or a call from the enclave with a function in the application.
  • 3rd Party Libraries
    – for the purpose of this document, this is any library that has been tailored to work inside the Intel(R) SGX enclave environment.
See the following Table Terminology for a definition of terms.
Terminology
ECall
“Enclave Call” a call made into an interface function within the enclave
OCall
“Out Call” a call made from within the enclave to the outside application
Trusted
Refers to any code or construct that runs inside an enclave in a “trusted” environment
Trusted Thread Context
The context for a thread running inside the enclave. This is composed of:
  • Thread Control Structure (TCS)
  • Thread Data/Thread Local Storage – data within the enclave and specific to the thread
  • State Save Area (SSA) – a data buffer which holds register state when an enclave must exit due to an interrupt or exception
  • Stack – a stack located within the enclave
Untrusted
Refers to any code or construct that runs in the applications “untrusted” environment (outside of the enclave)

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.