SGX - What is the difference between trusted bridge and trusted proxy?

Question

In Intel's SGX developer guide Pointer Handling, it mentions:

When a buffer is being copied, the trusted bridge must avoid overwriting enclave memory in an ECALL and the trusted proxy must avoid leaking secrets in an OCALL.

What are the trusted bridge and trusted proxy here?

--- edited---

From Pointer Handling in ECALL and Pointer Handling in OCALL, I noticed that trusted bridge is used for allocating and copying buffer from outside enclave to inside enclave, where trusted proxy is used for allocating and copying buffer from inside enclave to outside enclave. So my personal conclusion is that they both are some kind of delegate responsible for allocating and copying memory buffers from two different directions. Their names "bridge" and "proxy" are used for differentiating their workflow.

Is my understanding correct?

Answer 1

Trusted bridge and Trusted proxy interfaces between application and enclave.This code interfaces in/Out of enclave. Edger Tool(included in build environment) that parses the EDL file and generate the trusted bridge and trusted proxy files (.c and .h files).

Trusted Bridge:

For ECALLs, trusted bridge task is to ensure that the marshalling structure does not overlap enclave memory.

[in]: When a pointer to untrusted memory with attribute in is passed to the enclave, the trusted bridge allocates memory inside the enclave and copies the memory pointed to by the pointer from outside to the enclave memory.

[out]: When a pointer to untrusted memory with the out attribute is passed to the enclave, the trusted bridge allocates a buffer in trusted memory, zeroes the buffer contents to clear any previous secrets and passes a pointer to this buffer to the trusted function. After the trusted function returns, the trusted bridge copies the contents of the trusted buffer to untrusted memory.

Trusted proxy

For OCALLs, the trusted proxy allocates memory on the outside stack to pass the marshalling structure and checks that pointer parameters with their full range are within enclave.

[in]: When a pointer to trusted memory with attribute in is passed from an enclave (an OCALL), the trusted proxy allocates memory outside the enclave and copies the memory pointed by the pointer from inside the enclave to untrusted memory.

[out]: When a pointer to trusted memory with the out attribute is passed from an enclave (an OCALL), the trusted proxy allocates a buffer on the untrusted stack, and passes a pointer to this buffer to the untrusted function. After the untrusted function returns, the trusted proxy copies the contents of the untrusted buffer to trusted memory.

Answer 2

What are the trusted bridge and trusted proxy here?

Bridge and proxy concept comes from caller and callee code not communication one another directly: there is glue code between them. Caller code calls a proxy, which pretends to be "like" the callee and its purpose is to accept the call and pass the arguments to the other (trusted vs. untrusted) side. Bridge is what calls the actual callee on the other side and mimics the caller.

There is a similar concept in COM marshaling: COM proxies and stubs.

Trusted proxy is what enclave code calls in OCALL expecting that such call will be delivered similarly on untrusted side to actual callee.

Trusted bridge is what handles the call received by untrusted proxy, prepares stack arguments for the enclave function, does the actuall callee call, and takes output arguments in the opposite direction.

The documentation section explains that in order to avoid memory overrides by generated proxy and bridge code, the convention is that application code in untrusted space must operate with untrusted memory pointers, and enclave trusted code must use trusted memory pointer argument. The glue layer is responsible for magic of copying data back and forth between untrusted and trusted space replacing pointers respectively so that they point to the same (copied) data even though the pointers themselves (as numbers) get changed.