All the samples that come with the Open Enclave SDK installation share a similar directory structure and build instructions. This document describes how to setup, build, sign and run these samples.
Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave).
An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware. All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may run in an untrusted environment with the expectation that secrets will not be compromised. On Windows and Linux, enclaves are ELF binaries.
A host is a normal user mode application that loads an enclave into its address space before starting interacting with an enclave.
All the samples that come with the Open Enclave SDK installation are all structured into two subdirectories (one for enclave and one for host) accordingly.
| Files/dir | contents |
|---|---|
| enclave | Files needed for building the sample enclave |
| host | Files needed for building the host |
Building a sample will write intermediate and output files into the sample directory. If you would like to use a separate working directory for building samples, you can copy the samples to your working directory first. For example, if the SDK was installed to C:\openenclave:
xcopy C:\openenclave\share\openenclave\samples C:\mysample-
Set
OpenEnclave_DIRto the cmake directory in the Open Enclave SDK installation.
As an example, if the Open Enclave SDK is installed to C:\openenclave, then you would set OpenEnclave_DIR as shown below
set OpenEnclave_DIR=C:\openenclave\lib\openenclave\cmake- To build a sample using CMake, change directory to your target sample directory and execute the following commands:
mkdir build
cd build
cmake .. -G Ninja -DNUGET_PACKAGE_PATH=C:\your\path\to\intel_and_dcap_nuget_packages
ninja- To run the sample, use below:
ninja runThe following samples demonstrate how to develop enclave applications using OE APIs. It's recommended to go through the following samples in the order listed.
- Minimum code needed for an OE app
- Help understand the basic components an OE application
- Demonstrate how to build, sign, and run an OE image
- Shows how to encrypt and decrypt data inside an enclave
- Uses AES mbedTLS API to perform encryption and decryption
- Introduce OE sealing and unsealing features
- Demonstrate how to use OE sealing APIs
- Explore two supported seal polices
- OE_SEAL_POLICY_UNIQUE
- OE_SEAL_POLICY_PRODUCT
- Explain how OE attestation works
- Demonstrate an implementation of remote attestation between two enclaves running on different machines
- Explain the concept of OE local attestation
- Demonstrate an implementation of local attestation between two enclaves on the same VM
- Explain the concept of switchless calls
- Identify cases where switchless calls are appropriate
- Demonstrate how to mark a function as
transition_using_threadsin EDL - Demonstrate how to configure an enclave to enable switchless calls originated within it
- Recommend the number of host worker threads required for switchless calls in practice
- Demonstrate how to enable switchless calls in an enclave application