All the samples that come with the Open Enclave SDK installation share a similar directory structure and build instructions. This document describes how to set up, build, sign, and run these samples.
The Open Enclave SDK helps developers build enclave applications. An enclave application is partitioned into an untrusted component (called a host) and a trusted component (called an enclave). An enclave is a secure container whose memory (text and data) is protected from access by outside entities, including the host, privileged users, and even the hardware.
All functionality that needs to be run in a Trusted Execution Environment (TEE) should be compiled into the enclave binary. The enclave may be used by an untrusted environment with the expectation that secrets will not be compromised.
A host is a normal user mode application that creates and interacts with an enclave.
The steps required to build and run the samples on Linux are described in BuildSamplesLinux.md. In order to build and run the samples on Windows, please see BuildSamplesWindows.md.
The following samples demonstrate how to develop enclave applications using OE APIs. It's recommended to go through the following samples in the order listed.
- Minimum code needed for an OE app
- Help understand the basic components an OE application
- Demonstrate how to build, sign, and run an OE image
- Demonstrate how to optionally apply LVI mitigation to SGX enclave code
- Show how to encrypt and decrypt data inside an enclave
- Use AES Mbed TLS API to perform encryption and decryption
- Note: this sample does not support OpenSSL yet.
- Introduce OE sealing and unsealing features
- Demonstrate how to use OE sealing APIs
- Explore two supported seal polices
- OE_SEAL_POLICY_UNIQUE
- OE_SEAL_POLICY_PRODUCT
- Use AES and MD Mbed TLS APIs to perform sealing and unsealing
- Note: this sample does not support OpenSSL yet.
- Explain how OE attestation works
- Demonstrate an implementation of attestation between two enclaves
- Use SHA and PCKS1 Mbed TLS APIs to perform hashing and encryption
- Note: this sample does not support OpenSSL yet.
- Explain what an Attested TLS channel is
- Demonstrate an implementation for how to establish an Attested TLS channel
- between two enclaves
- between one non-enclave client and an enclave
- Demonstrate how to build the sample with either Mbed TLS or OpenSSL libraries
- Demonstrate how to build the sample with FIPS-enabled OpenSSL based on SymCrypt and SymCrypt OpenSSL engine
- Explain the concept of switchless calls
- Identify cases where switchless calls are appropriate
- Demonstrate how to mark a function as
transition_using_threadsin EDL - Demonstrate how to configure an enclave to enable switchless calls originated within it
- Recommend the number of host worker threads required for switchless calls in practice
- Demonstrate how to enable switchless calls in an enclave application
- Explain the concept of host-side enclave verification
- Demonstrate attestation of a remote SGX enclave from outside an enclave
- Demonstrate how to replace the default memory allocator by plugging in a custom allocator that performs better in multi-threaded enclaves.
- Provide overview of how to make an enclave-compatible allocator pluggable.