I would like to ask about accessing the timestamp cycle counter (TSC) from an enclave.
Is it going through the OS or Is it a direct access to the register hardware?.
Is there any example code for using it?
Here is an excerpt from the SGX manual on this question:
RDTSC and RDTSCP are legal inside an enclave for processors that support SGX2 (subject to the value of CR4.TSD).
For processors which support SGX1 but not SGX2, RDTSC and RDTSCP will cause #UD.
RDTSC and RDTSCP instructions may cause a VM exit when inside an enclave.
Software developers must take into account that the RDTSC/RDTSCP results are not immune to influences by other
software, e.g. the TSC can be manipulated by software outside the enclave.
Please refer to section of "39.6.1 Illegal Instructions" in the System Programming Guide at
for more info.
Thanks a lot for your reply. I wil take a careful look into that.
To add some more info:
If you want to call RDTSC, you'll need to create an OCALL and get that information (I don't believe there aren't any SGX2 processors in the market right now).
Regardless of whether you are using an SGX1 system with an OCALL or an SGX2 system without an OCALL, remember (as Hoang points out) that
"RDTSC/RDTSCP results are not immune to influences by other software, e.g. the TSC can be manipulated by software outside the enclave."
Thanks for your reply. So, RSTSC is not trusted. and what I got also that sgx_get_trusted_time API is only available during the simulation mode.
So is there any way of getting source sense of time within SGX?
I am not sure why you think trusted time is only available in simulation - you can use it in actual HW mode too.
Here's the Linux source for it:
You'll need "trusted services" on your system (Management Engine SW)
First of all, I really can't thank you enough. Your replies are extremely helpful for me.
The Developer reference manual in 2016 states that "sgx_get_trusted_time" API is only available in the simulation mode. However, I see that they removed this comment in 2017 version !!. So you are right, It could be used in Hardware. Also, as a verification, I tried the SealedData example in hardware mode, as it has this API, and it looks working fine for me.
However, I see that this API is only useful in getting the relative trusted time between two calls as long as the returned nonces are constant, otherwise, it is not useful. So I do not think it gives a secure system time (Linux time), It is only helpful in getting a relative trusted time between two calls. This is what I got until now. Is that right?
Also, I tried very hard to look into the idea behind it. How can they guarantee such secure feature? Is there a dedicated hw timer or what? Do you have any idea?
Thanks again for your great support.
I am having a hard time finding external documentation for the details on this. It uses the PSDA service:
I don't think you can trust the Linux time. Is there a specific reason you need to know Linux time as opposed to time since you last called "get secure time"?
Thanks a lot Francisco for your time and support. What I got that sgx_get_trusted_time is only useful in getting relative time. For example, if we want to get the Execution_time of "some code", we will do the following:
(Time1 , nonce1 ) = sgx_get_trusted_time().
// some code goes here
(Time2 , nonce2 ) = sgx_get_trusted_time().
if( nonce1 == nonce2)
Execution_time = Time2 - Time1
//no trusted execution time can be obtained
So as you see, It does not give us like UTC time or any global time. We need to build application that has trusted notion of global Time like UTC which can be the linux time. My questions can be summarized in the following:
1- Do you suggest something to do to get more information on how they made sgx_get_trusted_time ? I can't find anything useful too:(.
2.Also, Do you have on mind an idea on how we can get Trusted UTC time?
1. Recently posted - https://software.intel.com/sites/default/files/managed/1b/a2/Intel-SGX-Platform-Services.pdf
2. I think you may need to go out to the network (or to the system) via a (trusted) secure channel or something like that. You really can't get the time from the system directly, since by design the system isn't trusted.
Thanks a lot for your reply and support
I recently figured out that in the sgx_get_trusted_time API execution flow which is,
App Enclave <->AESM(untrusted)<-> PSE enclave(trusted) <-> AESM <->CSE/ME(trusted)
even if all the data is encrypted, there is a chance that a malicious Operating System can delay the packet through the IPC communication between App Enclave and AESM. If a packet can be delayed, then the encrypted time value inside the packet will no longer make sense. So my question is, Is it possible for an OS to delay the packet between AESM and App enclave? If yes, then sgx_get_trusted_time can no longer be trusted. Kindly correct me if I am wrong?