Intel released its SGX SDK for Windows to the public. They included the launch enclave, which is needed to start own enclaves. They also provided some documentation about the usage of the SDK. I will describe how you get your own enclave running in 5 minutes. I followed the SDK User Guide
If you are not shure if SGX is enabled on your machine you can execute the test_sgx.c from my repo: SGX-hardware It should print at least sgx 1 supported: 1.
Before we can start, you have to install the SDK. I am using it with Visual Studio 2012 Professional.
Create the Enclave
We want to create the enclave first. In Visual Studio go to File > New > Project and than Templates > Visual C++ > Intel SGX Enclave Project. Choose a project name or the enclave like: enclave_test_save.
You don’t have to change anything in the project wizard. A new signing key will be generated if no one is given.
In the project go to the Source Files and choose the enclave_test_save.cpp. Implement some secure functions that you want to call from the outside of the enclave. Or just copy my example:
Know open the enclave_test_save.edl file which is used to define the trusted interfaces. Define your own trusted ECALLs to your functions or copy the following:
You are know ready to build the enclave. Hit the Build button and have a look at the Enclave configuration in the output. By default Debug Mode for the Enclave is enabled, so you are able to analyze the enclave afterwards.
#Create the Application
Now lets build a small application which calls the enclave functions. Go to File > New > Project and choose Templates > Visual C++ > Win32 Console Application. I named the application: app_test_save
At first, we have to import the enclaves edl file via the Intel SGX Extensions Add-In. Right click on the project app_test_save and choose Intel SGX Configuration > Import Enclave
Click on Import EDL and choose the enclave_test_save.edl. Check the CheckBox of the edl file in the Import Enclave Window and press OK.
You can now use the enclave functions in the main application. Here my example code for the app_test_save.cpp.
Following the original documentation you should be able to run the application now.
If you get the error:
SGX couldn’t find the enclave file. The solution is to move the enclave_test_save.signed.dll into the same folder where the app_test_save.exe is located.
Finally when executing the application this output should appear:
Some additional information about the SGX Drivers. It seems odd, that Microsoft, Intel and Dell distribute SGX drivers. To use SGX you don’t need any driver. You can communicate directly with the CPU to get the SGX functionality. But the Drivers provide Interfaces to make the usage of SGX much more easier. When using the SDK an AESM Service is started. The aesm_service.exe is located at C:\Program Files\Intel\IntelSGXPSW\bin\x64\Release. In the same folder are multiple *.signed.dll files which are encrypted enclaves. One of these enclave is maybe the launch enclave which is used to start every other enclave.
We don’t really know what these enclaves are doing. Maybe Intel provides some more Information when the Linux SDK will be made available in this year.