Skip to content

Latest commit

 

History

History
176 lines (124 loc) · 5.84 KB

WindowsSGX1FLCGettingStarted.md

File metadata and controls

176 lines (124 loc) · 5.84 KB
Raw

Getting Started with Open Enclave on Windows for systems with support for SGX1 with Flexible Launch Control(FLC)

Platform requirements

Intel® X86-64bit architecture with SGX1 and Flexible Launch Control (FLC) support. (e.g. Intel Coffee Lake CPU)

Note: To check if your system has support for SGX1 with FLC, please look here.

A version of Windows OS with native support for SGX features:

  • For server: Windows Server 2019
  • For client: Windows 10 64-bit version 1709 or newer
  • To check your Windows version, run winver from the command line

Note: The following instructions assume running powershell as adminstrator.

Install Git and Clone the Open Enclave SDK repo

  • Download and install Git for Windows from here.
  • Clone the Open Enclave SDK to a folder of your choice. In these instructions we're assuming C:/Users/test.
cd C:/Users/test/
git clone --recursive https://github.com/openenclave/openenclave.git

This creates a source tree under the directory called openenclave.

Install project prerequisites

First, change directory into the Open Enclave repository (from wherever you cloned it):

cd C:/Users/test/openenclave

Also, make sure the execution policy is set to RemoteSigned with the following command.

Get-ExecutionPolicy

If not, set the policy with the following command and confirm the change by typing Y.

Set-ExecutionPolicy RemoteSigned

Run the following command to deploy all the prerequisites for building Open Enclave:

./scripts/install-windows-prereqs.ps1

On Windows Server 2019 and versions of Windows 10 newer than 1709, the Intel PSW and DCAP software components should already be automatically installed. To skip updating the PSW and DCAP software components:

./scripts/install-windows-prereqs.ps1 -LaunchConfiguration SGX1FLC-NoIntelDrivers

To install the prerequisites along with the Azure DCAP Client, use the below command. The Azure DCAP Client is necessary to perform attestation on an Azure Confidential Computing VM. This command assumes that you would like the prerequisites to be installed to C:/oe_prereqs.

./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure

If you would like to skip the installation of the Azure DCAP Client, use the command below:

./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType None

If you want to install the Azure DCAP Client, you would run the following command:

./scripts/install-windows-prereqs.ps1 -InstallPath C:/oe_prereqs -LaunchConfiguration SGX1FLC -DCAPClientType Azure

Once the installation is done, please ignore the following message(s) and continue on to the next step.

Please reboot your computer for the configuration to complete.

If you prefer to manually install prerequisites, please refer to this document.

Building/installation on Windows using Developer Command Prompt

Launch the x64 Native Tools Command Prompt for VS(2017 or 2019), which is found in the Visual Studio 2017 folder in the Start Menu.

Run the command powershell.exe to open a PowerShell prompt within the native tools environment.

From here, use CMake and Ninja to build/install Open Enclave.

To build debug enclaves:

cd C:/Users/test/openenclave
mkdir build/x64-Debug
cd build/x64-Debug
cmake -G Ninja -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=C:/openenclave ../..
ninja

Similarly, to build release enclaves, specify the flag -DCMAKE_BUILD_TYPE=Release:

cd C:/Users/test/openenclave
mkdir build/x64-Release
cd build/x64-Release
cmake -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=C:/openenclave ../..
ninja

To build enclaves with LVI mitigation, specify the flag -DLVI_MITIGATION=ControlFlow:

cd C:/Users/test/openenclave
mkdir build/x64-LVI
cd build/x64-LVI
cmake -G Ninja -DLVI_MITIGATION=ControlFlow -DNUGET_PACKAGE_PATH=C:/oe_prereqs -DCMAKE_INSTALL_PREFIX=C:/openenclave ../..
ninja

Refer to the LVI Mitigation documentation for further information.

Now, using the ninja install command will install the SDK in C:/openenclave. To choose a different location, change the value specified for CMAKE_INSTALL_PREFIX.

Run unit tests

After building, run all unit test cases using ctest to confirm the SDK is built and working as expected.

Run the following command from the build directory to run tests, (in this example, we are testing the debug build):

ctest

You will see test logs similar to the following:

  Test project C:/Users/test/openenclave/build/x64-Debug
        Start   1: tests/lockless_queue
  1/107 Test   #1: tests/lockless_queue ..................................   Passed    3.49 sec
        Start   2: tests/mem
  2/107 Test   #2: tests/mem .............................................   Passed    0.01 sec
  ...
  ....
100% tests passed, 0 tests failed out of 107

A clean pass of the above unit tests run is an indication that your Open Enclave setup was successful.

For more information refer to the Advanced Test Info document.

Build and run samples

To build and run the samples without building and then installing the OE SDK, please refer to the README for Windows samples.

Known Issues

Not all tests currently run on Windows. See tests/CMakeLists.txt for a list of supported tests.