I'm trying to perform a local attestation between two enclaves created from two different applications.
The provided sample code for Linux here creates 3 different enclaves and then establishes secure connections between them. But those enclaves have all been created by the same application which therefore is aware of all enclave IDs.
If two different applications are creating there own enclave which should communicate with one another, how would the source enclave get to know the ID of the destination enclave? Would that ID have to be transmitted from one application to the enclave on a "general" way (IPC)?
I've tried some simple test by starting a destination enclave and printing its ID: "26ce00000002"
Then I used this ID in the local attestation example to try to connect to this running destination enclave:
uint64_t wrapper(const char *c) {
errno = 0;
uint64_t result = strtoull(c, NULL, 16);
if (errno == EINVAL) {
cout << "WRONG NUMBER" << endl;
} else if (errno == ERANGE) {
cout << "Too big\n";
}
return result;
}
uint32_t load_enclaves() {
uint32_t enclave_temp_no;
int ret, launch_token_updated;
sgx_launch_token_t launch_token;
enclave_temp_no = 0;
ret = sgx_create_enclave(ENCLAVE1_PATH, SGX_DEBUG_FLAG, &launch_token, &launch_token_updated, &e1_enclave_id, NULL);
if (ret != SGX_SUCCESS) {
return ret;
}
enclave_temp_no++;
g_enclave_id_map.insert(std::pair<sgx_enclave_id_t, uint32_t>(e1_enclave_id, enclave_temp_no));
const char *test = "26ce00000002";
e2_enclave_id = wrapper(test);
enclave_temp_no++;
g_enclave_id_map.insert(std::pair<sgx_enclave_id_t, uint32_t>(e2_enclave_id, enclave_temp_no));
return SGX_SUCCESS;
}
int main(int argc, char **argv) {
uint32_t ret_status;
sgx_status_t status;
if(load_enclaves() != SGX_SUCCESS) {
printf("\nLoad Enclave Failure");
}
printf("\nAvaliable Enclaves");
printf("\nEnclave1 - EnclaveID %lx",e1_enclave_id);
printf("\nEnclave2 - EnclaveID %lx",e2_enclave_id);
do {
//Test Create session between Enclave1(Source) and Enclave2(Destination)
status = Enclave1_test_create_session(e1_enclave_id, &ret_status, e1_enclave_id, e2_enclave_id);
if (status!=SGX_SUCCESS)
{
printf("Enclave1_test_create_session Ecall failed: Error status code is %x", status);
print_error_message(status);
break;
}
else
{
if(ret_status==0)
{
printf("\n\nSecure Channel Establishment between Source (E1) and Destination (E2) Enclaves successful !!!");
}
else
{
printf("\nSession establishment and key exchange failure between Source (E1) and Destination (E2): Error return status is %x\n", ret_status);
break;
}
}
When executing the local attestation program with the source enclave I receive a "SGX_ERROR_INVALID_ENCLAVE_ID" error? This error is not thrown by the local attestation example program but comes from somewhere in the SGX libraries and I don't know why since the destination enclave is still running, therefore the ID should exist!?
We do not need a secure connection to exchange the enclave id's. The Application can store the enclave id in a registry or on the disc along with the enclave names which can be retrieved by corresponding application to obtain the id of the required enclave. Then the application initiates a session between the source enclave and the destination enclave by doing an ECALL into the source enclave, passing in the enclave id of the destination enclave. Upon receiving the enclave id of the destination enclave, the source enclave does an OCALL into the core untrusted code which then does an ECALL into the destination enclave to exchange the messages required to establish a session using ECDH Key Exchange protocol.