WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfssl-examples/SGX_Linux
History
Nickolas Lapp 973a3299d1 Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 
test, wolfcrypt benchmark, and a simple TLS client App all to be run on
SGX hardware. Move SGX_example -> SGX_Windows since there is now a linux
example.
 		2017-06-12 14:37:59 -07:00
..
README-images Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
trusted Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
untrusted Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
Makefile Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
README.md Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
sgx_t.mk Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00
sgx_u.mk Adds SGX_Linux, a simple Enclave/App example that includes: wolfcrypt 2017-06-12 14:37:59 -07:00

README.md

wolfSSL Linux Enclave Example

This repository contains an example application, written in C, which demonstrates how to link with the wolfSSL lightweight SSL/TLS library with a simple Enclave using Linux. The example has been tested with Ubuntu 16.04.

Prerequisites

First create the trusted static wolfssl library from <wolfssl-root>/IDE/LINUX-SGX. Steps for creating the static library can be found in <wolfssl-root>/IDE/LINUX-SGX/README.md

Build

After creating the static library, build the example untrusted application using make. For make the user should specify:

  1. Specify SGX Mode. This can be either SIM or HW

    SGX_MODE=[SIM,HW]

  2. Whether SGX should be built as Prerelease or regular release

    SGX_PRERELEASE=[1,0]

  3. Specify if SGX Debug should be set. (This also controls whether wolfssl debug prints, if it was enabled at compile-time for the static library).

    SGX_DEBUG=[1,0]

  4. The location of the prebuilt static library (this will probably point to <wolfssl-root>/IDE/LINUX-SGX)

    SGX_WOLFSSL_LIB=[location/to/libwolfssl.sgx.static.a]

  5. The location of wolfssl root directory for the header files.

    WOLFSSL_ROOT=[location/to/wolfssl_root]

With these three options, simply call, for example:

make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=~/wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0

Expected Output

expected make results

Running

After the application has been built, it should be tested against the default wolfssl example server.

First, start the example server.

From <wolfssl-root> run:
./examples/server/server

Then, start the SGX Application

./App

This will run three tests. The first is the wolfcrypt testsuite, which tests a variety of wolfcrypt functionality. The second is the wolfcrypt benchmark testsuite, which benchmarks some of the main wolfcrypt ciphers. Finally, a simple TLS client test is run which connects a TLS client, instantiated on the enclave, against the previously started example server running normally on the PC. The connection targets localhost:11111.

Expected Output

expected app results

expected server results

Limitations

  1. Single Threaded

  2. No Filesystem

  3. Untrusted Code Must Load Private Key/Certificate Chain

    i) In order to successfully load a private key and certificate into the enclave, these APIs are exposed to the untrusted application. This means that the untrusted region must be "trusted" to load the correct Private Key/ Certificate to start a connection. This method of loading certificates should not be used for production code as it violates the trust assumptions for Intel's SGX. Contact support@wolfssl.com if you wish to use wolfSSL in your product.

Support

Please contact wolfSSL at support@wolfssl.com with any questions, bug fixes, or suggested feature additions.