├── LICENCE ├── Makefile ├── README.md ├── trusted ├── enclave.config.xml ├── enclave.cpp ├── enclave.edl ├── enclave.lds └── enclave_private.pem └── untrusted └── app.cpp /LICENCE: -------------------------------------------------------------------------------- 1 | Licensed Materials - Property of IBM 2 | 3 | Copyright IBM Corp. 2017, 2017 All Rights Reserved 4 | 5 | US Government Users Restricted Rights - Use, duplication or 6 | disclosure restricted by GSA ADP Schedule Contract with 7 | IBM Corp. 8 | 9 | ============================================================ 10 | 11 | This project uses Makefile which based on Intel's Makefile. 12 | 13 | ============================================================ 14 | Copyright (C) 2011-2016 Intel Corporation. All rights reserved. 15 | 16 | Redistribution and use in source and binary forms, with or without 17 | modification, are permitted provided that the following conditions 18 | are met: 19 | 20 | * Redistributions of source code must retain the above copyright 21 | notice, this list of conditions and the following disclaimer. 22 | * Redistributions in binary form must reproduce the above copyright 23 | notice, this list of conditions and the following disclaimer in 24 | the documentation and/or other materials provided with the 25 | distribution. 26 | * Neither the name of Intel Corporation nor the names of its 27 | contributors may be used to endorse or promote products derived 28 | from this software without specific prior written permission. 29 | 30 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 31 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 32 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 33 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 34 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 35 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 36 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 37 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 38 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 39 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 40 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 41 | 42 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright (C) 2011-2016 Intel Corporation. All rights reserved. 3 | # 4 | # Redistribution and use in source and binary forms, with or without 5 | # modification, are permitted provided that the following conditions 6 | # are met: 7 | # 8 | # * Redistributions of source code must retain the above copyright 9 | # notice, this list of conditions and the following disclaimer. 10 | # * Redistributions in binary form must reproduce the above copyright 11 | # notice, this list of conditions and the following disclaimer in 12 | # the documentation and/or other materials provided with the 13 | # distribution. 14 | # * Neither the name of Intel Corporation nor the names of its 15 | # contributors may be used to endorse or promote products derived 16 | # from this software without specific prior written permission. 17 | # 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 | # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 | # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 | # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 | # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 | # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 | # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 | # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | # 30 | # 31 | 32 | ######## SGX SSL Settings ######## 33 | SGX_SSL ?= /opt/intel/sgxssl 34 | SGXSSL_LIB_NAME := sgx_tsgxssl 35 | SGXSSL_CRYPTO_LIB_NAME := sgx_tsgxssl_crypto 36 | ######## SGX SDK Settings ######## 37 | 38 | SGX_SDK ?= /opt/intel/sgxsdk 39 | SGX_CRYPTO_LIB_NAME := sgx_tcrypto 40 | SGX_MODE ?= HW 41 | SGX_ARCH ?= x64 42 | SGX_DEBUG ?= 0 43 | SGX_PRERELEASE ?= 1 44 | 45 | ifeq ($(shell getconf LONG_BIT), 32) 46 | SGX_ARCH := x86 47 | else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32) 48 | SGX_ARCH := x86 49 | endif 50 | 51 | ifeq ($(SGX_ARCH), x86) 52 | SGX_COMMON_CFLAGS := -m32 53 | SGX_LIB_DIR := $(SGX_SDK)/lib 54 | SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign 55 | SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r 56 | else 57 | SGX_COMMON_CFLAGS := -m64 58 | SGX_LIB_DIR := $(SGX_SDK)/lib64 59 | SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign 60 | SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r 61 | endif 62 | 63 | ifeq ($(SGX_DEBUG), 1) 64 | ifeq ($(SGX_PRERELEASE), 1) 65 | $(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!) 66 | endif 67 | endif 68 | 69 | ifeq ($(SGX_DEBUG), 1) 70 | SGX_COMMON_CFLAGS += -O0 -g 71 | SGXSSL_LIB_DIR := $(SGX_SSL)/lib64/debug/ 72 | else 73 | SGX_COMMON_CFLAGS += -O2 74 | SGXSSL_LIB_DIR := $(SGX_SSL)/lib64/release/ 75 | endif 76 | 77 | ifeq ($(SUPPLIED_KEY_DERIVATION), 1) 78 | SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION 79 | endif 80 | Security_Link_Flags := -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -pie 81 | ######## App Settings ######## 82 | 83 | ifneq ($(SGX_MODE), HW) 84 | Urts_Library_Name := sgx_urts_sim 85 | else 86 | Urts_Library_Name := sgx_urts 87 | endif 88 | 89 | App_Cpp_Files := untrusted/app.cpp 90 | App_Include_Paths := -I$(SGX_SDK)/include -Iuntrusted 91 | 92 | App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) 93 | 94 | # Three configuration modes - Debug, prerelease, release 95 | # Debug - Macro DEBUG enabled. 96 | # Prerelease - Macro NDEBUG and EDEBUG enabled. 97 | # Release - Macro NDEBUG enabled. 98 | ifeq ($(SGX_DEBUG), 1) 99 | App_C_Flags += -DDEBUG 100 | else ifeq ($(SGX_PRERELEASE), 1) 101 | App_C_Flags += -DNDEBUG -DEDEBUG 102 | else 103 | App_C_Flags += -DNDEBUG 104 | endif 105 | 106 | App_Cpp_Flags := $(App_C_Flags) 107 | 108 | App_Link_Flags := $(SGX_COMMON_CFLAGS) $(Security_Link_Flags) -L$(SGX_LIB_DIR) -L$(SGXSSL_LIB_DIR) -l$(Urts_Library_Name) -lsgx_usgxssl -lpthread -Wl,-rpath=$(CURDIR) 109 | 110 | ifneq ($(SGX_MODE), HW) 111 | App_Link_Flags += -lsgx_uae_service_sim 112 | else 113 | App_Link_Flags += -lsgx_uae_service 114 | endif 115 | 116 | App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o) 117 | 118 | App_Name := app 119 | 120 | 121 | 122 | ######## Enclave Settings ######## 123 | 124 | ifneq ($(SGX_MODE), HW) 125 | Trts_Library_Name := sgx_trts_sim 126 | Service_Library_Name := sgx_tservice_sim 127 | else 128 | Trts_Library_Name := sgx_trts 129 | Service_Library_Name := sgx_tservice 130 | endif 131 | 132 | Enclave_Cpp_Files := trusted/enclave.cpp 133 | Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/stlport -I$(SGX_SSL)/include 134 | 135 | Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Enclave_Include_Paths) 136 | Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++03 -nostdinc++ 137 | 138 | # To generate a proper enclave, it is recommended to follow below guideline to link the trusted libraries: 139 | # 1. Link sgx_trts with the `--whole-archive' and `--no-whole-archive' options, 140 | # so that the whole content of trts is included in the enclave. 141 | # 2. For other libraries, you just need to pull the required symbols. 142 | # Use `--start-group' and `--end-group' to link these libraries. 143 | # Do NOT move the libraries linked with `--start-group' and `--end-group' within `--whole-archive' and `--no-whole-archive' options. 144 | # Otherwise, you may get some undesirable errors. 145 | Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles \ 146 | $(Security_Link_Flags) -L$(SGX_LIB_DIR) -L$(SGXSSL_LIB_DIR) \ 147 | -Wl,--whole-archive -l$(Trts_Library_Name) -l$(SGXSSL_LIB_NAME) -Wl,--no-whole-archive \ 148 | -Wl,--start-group -lsgx_tstdc -lsgx_tstdcxx -lsgx_tkey_exchange -l$(SGX_CRYPTO_LIB_NAME) -l$(SGXSSL_CRYPTO_LIB_NAME) -l$(Service_Library_Name) -Wl,--end-group \ 149 | -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ 150 | -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ 151 | -Wl,--defsym,__ImageBase=0 \ 152 | -Wl,--version-script=trusted/enclave.lds 153 | 154 | Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o) 155 | 156 | Enclave_Name := enclave.so 157 | Signed_Enclave_Name := enclave.signed.so 158 | Enclave_Config_File := trusted/enclave.config.xml 159 | 160 | ifeq ($(SGX_MODE), HW) 161 | ifeq ($(SGX_DEBUG), 1) 162 | Build_Mode = HW_DEBUG 163 | else ifeq ($(SGX_PRERELEASE), 1) 164 | Build_Mode = HW_PRERELEASE 165 | else 166 | Build_Mode = HW_RELEASE 167 | endif 168 | else 169 | ifeq ($(SGX_DEBUG), 1) 170 | Build_Mode = SIM_DEBUG 171 | else ifeq ($(SGX_PRERELEASE), 1) 172 | Build_Mode = SIM_PRERELEASE 173 | else 174 | Build_Mode = SIM_RELEASE 175 | endif 176 | endif 177 | 178 | 179 | .PHONY: all run 180 | 181 | ifeq ($(Build_Mode), HW_RELEASE) 182 | all: $(App_Name) $(Enclave_Name) 183 | @echo "The project has been built in release hardware mode." 184 | @echo "Please sign the $(Enclave_Name) first with your signing key before you run the $(App_Name) to launch and access the enclave." 185 | @echo "To sign the enclave use the command:" 186 | @echo " $(SGX_ENCLAVE_SIGNER) sign -key -enclave $(Enclave_Name) -out <$(Signed_Enclave_Name)> -config $(Enclave_Config_File)" 187 | @echo "You can also sign the enclave using an external signing tool." 188 | @echo "To build the project in simulation mode set SGX_MODE=SIM. To build the project in prerelease mode set SGX_PRERELEASE=1 and SGX_MODE=HW." 189 | else 190 | all: $(App_Name) $(Signed_Enclave_Name) 191 | ifeq ($(Build_Mode), HW_DEBUG) 192 | @echo "The project has been built in debug hardware mode." 193 | else ifeq ($(Build_Mode), SIM_DEBUG) 194 | @echo "The project has been built in debug simulation mode." 195 | else ifeq ($(Build_Mode), HW_PRERELEASE) 196 | @echo "The project has been built in pre-release hardware mode." 197 | else ifeq ($(Build_Mode), SIM_PRERELEASE) 198 | @echo "The project has been built in pre-release simulation mode." 199 | else 200 | @echo "The project has been built in release simulation mode." 201 | endif 202 | endif 203 | 204 | run: all 205 | ifneq ($(Build_Mode), HW_RELEASE) 206 | @$(CURDIR)/$(App_Name) 207 | @echo "RUN => $(App_Name) [$(SGX_MODE)|$(SGX_ARCH), OK]" 208 | endif 209 | 210 | ######## App Objects ######## 211 | 212 | untrusted/enclave_u.c: $(SGX_EDGER8R) trusted/enclave.edl 213 | @cd untrusted && $(SGX_EDGER8R) --untrusted ../trusted/enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path $(SGX_SSL)/include 214 | @echo "GEN => $@" 215 | 216 | untrusted/enclave_u.o: untrusted/enclave_u.c 217 | @$(CC) $(App_C_Flags) -c $< -o $@ 218 | @echo "CC <= $<" 219 | 220 | untrusted/%.o: untrusted/%.cpp 221 | @$(CXX) $(App_Cpp_Flags) -c $< -o $@ 222 | @echo "CXX <= $<" 223 | 224 | $(App_Name): untrusted/enclave_u.o $(App_Cpp_Objects) 225 | @$(CXX) $^ -o $@ -lcrypto $(App_Link_Flags) 226 | @echo "LINK => $@" 227 | 228 | 229 | ######## Enclave Objects ######## 230 | 231 | trusted/enclave_t.c: $(SGX_EDGER8R) trusted/enclave.edl 232 | @cd trusted && $(SGX_EDGER8R) --trusted ../trusted/enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path $(SGX_SSL)/include 233 | @echo "GEN => $@" 234 | 235 | trusted/enclave_t.o: trusted/enclave_t.c 236 | @$(CC) $(Enclave_C_Flags) -c $< -o $@ 237 | @echo "CC <= $<" 238 | 239 | trusted/%.o: trusted/%.cpp 240 | @$(CXX) $(Enclave_Cpp_Flags) -c $< -o $@ 241 | @echo "CXX <= $<" 242 | 243 | $(Enclave_Name): trusted/enclave_t.o $(Enclave_Cpp_Objects) 244 | @$(CXX) $^ -o $@ $(Enclave_Link_Flags) 245 | @echo "LINK => $@" 246 | 247 | $(Signed_Enclave_Name): $(Enclave_Name) 248 | @$(SGX_ENCLAVE_SIGNER) sign -key trusted/enclave_private.pem -enclave $(Enclave_Name) -out $@ -config $(Enclave_Config_File) 249 | @echo "SIGN => $@" 250 | 251 | .PHONY: clean 252 | 253 | clean: 254 | @rm -f $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) untrusted/enclave_u.* $(Enclave_Cpp_Objects) trusted/enclave_t.* 255 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux SGX Benchmarks 2 | 3 | ## Pre-Request steps 4 | * Download and install the latest SGX SDK from https://01.org/intel-software-guard-extensions/downloads. 5 | * Download and build SGX SSL located at the git repository https://github.com/intel/intel-sgx-ssl.git. 6 | * Update the values of SGX_SDK and SGX_SSL in Makefile. 7 | 8 | ## Compilation steps 9 | * make 10 | * ./app 11 | -------------------------------------------------------------------------------- /trusted/enclave.config.xml: -------------------------------------------------------------------------------- 1 | 2 | 0 3 | 0 4 | 0x400000 5 | 0x1000000 6 | 1 7 | 1 8 | 0 9 | 0 10 | 0xFFFFFFFF 11 | 12 | -------------------------------------------------------------------------------- /trusted/enclave.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Licensed Materials - Property of IBM 4 | * 5 | * Copyright IBM Corp. 2017, 2017 All Rights Reserved 6 | * 7 | * US Government Users Restricted Rights - Use, duplication or 8 | * disclosure restricted by GSA ADP Schedule Contract with 9 | * IBM Corp. 10 | */ 11 | 12 | 13 | #include 14 | #include 15 | #include "enclave_t.h" 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "sgx_tcrypto.h" 22 | #include "sgx_trts.h" 23 | 24 | 25 | /* out_buf_len must be at least in_buf_len + IV_SIZE + MAC_SIZE */ 26 | sgx_status_t ecall_sgxsdk_encrypt(uint8_t* in_buf, 27 | uint32_t in_buf_len, 28 | uint8_t* out_buf, 29 | uint32_t out_buf_len) 30 | { 31 | 32 | sgx_status_t ret = SGX_SUCCESS; 33 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 34 | uint8_t *iv = out_buf; 35 | uint8_t *mac = iv + SGX_AESGCM_IV_SIZE; 36 | uint8_t *enc_data = mac + SGX_AESGCM_MAC_SIZE; 37 | 38 | if (out_buf_len < in_buf_len + SGX_AESGCM_IV_SIZE + SGX_AESGCM_MAC_SIZE) { 39 | ocall_print_string("out_buf_len is too small\n"); 40 | return SGX_ERROR_INVALID_PARAMETER; 41 | } 42 | 43 | /* Set iv = 0 only for tests */ 44 | memset((void *) iv, 0, SGX_AESGCM_IV_SIZE); 45 | /*ret = sgx_read_rand(iv, SGX_AESGCM_IV_SIZE); 46 | 47 | if (ret != SGX_SUCCESS) { 48 | ocall_print_string("sgx_read_rand Error\n"); 49 | return ret; 50 | }*/ 51 | 52 | ret = sgx_rijndael128GCM_encrypt( 53 | (sgx_aes_ctr_128bit_key_t *) key, 54 | in_buf, 55 | in_buf_len, 56 | enc_data, 57 | iv, 58 | SGX_AESGCM_IV_SIZE, 59 | NULL, 60 | 0, 61 | (sgx_aes_gcm_128bit_tag_t *) mac); 62 | 63 | if (ret != SGX_SUCCESS) { 64 | ocall_print_string("Encryption Error\n"); 65 | return ret; 66 | } 67 | 68 | return ret; 69 | } 70 | 71 | 72 | 73 | sgx_status_t ecall_sgxsdk_decrypt( 74 | uint8_t* in_buf, 75 | uint32_t in_buf_len, 76 | uint8_t* out_buf, 77 | uint32_t out_buf_len) { 78 | 79 | sgx_status_t ret = SGX_SUCCESS; 80 | uint8_t *tmp_buf = NULL; 81 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 82 | uint8_t *iv = in_buf; 83 | uint8_t *mac = iv + SGX_AESGCM_IV_SIZE; 84 | uint8_t *enc_data = mac + SGX_AESGCM_MAC_SIZE; 85 | uint32_t enc_data_size = in_buf_len - SGX_AESGCM_IV_SIZE - SGX_AESGCM_MAC_SIZE; 86 | 87 | 88 | if (out_buf_len < enc_data_size) { 89 | ocall_print_string("out_buf_len is too small\n"); 90 | return SGX_ERROR_INVALID_PARAMETER; 91 | } 92 | 93 | 94 | ret = sgx_rijndael128GCM_decrypt( 95 | (sgx_aes_ctr_128bit_key_t *) key, 96 | enc_data, 97 | enc_data_size, 98 | out_buf, 99 | iv, 100 | SGX_AESGCM_IV_SIZE, 101 | NULL, 102 | 0, 103 | (sgx_aes_gcm_128bit_tag_t *) mac); 104 | 105 | if (SGX_SUCCESS != ret) 106 | { 107 | ocall_print_string("Decryption Error\n"); 108 | } 109 | 110 | return ret; 111 | 112 | } 113 | 114 | 115 | /* out_buf_len must be at least in_buf_len + IV_SIZE + MAC_SIZE */ 116 | sgx_status_t ecall_sgxssl_encrypt(uint8_t* in_buf, 117 | uint32_t in_buf_len, 118 | uint8_t* out_buf, 119 | uint32_t out_buf_len) 120 | { 121 | 122 | sgx_status_t ret = SGX_SUCCESS; 123 | EVP_CIPHER_CTX *ctx = NULL; 124 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 125 | uint8_t *iv = out_buf; 126 | uint8_t *mac = iv + SGX_AESGCM_IV_SIZE; 127 | uint8_t *enc_data = mac + SGX_AESGCM_MAC_SIZE; 128 | 129 | if (out_buf_len < in_buf_len + SGX_AESGCM_IV_SIZE + SGX_AESGCM_MAC_SIZE) { 130 | ocall_print_string("out_buf_len is too small\n"); 131 | return SGX_ERROR_INVALID_PARAMETER; 132 | } 133 | 134 | /* Set iv = 0 only for tests */ 135 | memset((void *) iv, 0, SGX_AESGCM_IV_SIZE); 136 | /*ret = sgx_read_rand(iv, SGX_AESGCM_IV_SIZE); 137 | 138 | if (ret != SGX_SUCCESS) { 139 | ocall_print_string("sgx_read_rand Error\n"); 140 | return ret; 141 | }*/ 142 | 143 | 144 | int tmp_len = 0; 145 | ctx = EVP_CIPHER_CTX_new(); 146 | /* Set cipher type and mode */ 147 | EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL); 148 | /* Initialise key and IV */ 149 | EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv); 150 | /* Encrypt plaintext */ 151 | 152 | EVP_EncryptUpdate(ctx, enc_data, &tmp_len, in_buf, in_buf_len); 153 | if (tmp_len != in_buf_len) { 154 | ocall_print_string("encrypt Error\n"); 155 | } 156 | /* Finalise: note get no output for GCM */ 157 | EVP_EncryptFinal_ex(ctx, enc_data, &tmp_len); 158 | /* Get tag */ 159 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, SGX_AESGCM_MAC_SIZE, (uint8_t *) mac); 160 | 161 | /* Output tag */ 162 | EVP_CIPHER_CTX_free(ctx); 163 | 164 | return SGX_SUCCESS; 165 | 166 | } 167 | 168 | 169 | sgx_status_t ecall_sgxssl_decrypt( 170 | uint8_t* in_buf, 171 | uint32_t in_buf_len, 172 | uint8_t* out_buf, 173 | uint32_t out_buf_len) { 174 | 175 | EVP_CIPHER_CTX *ctx = NULL; 176 | int rv = 0; 177 | int tmp_len = 0; 178 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 179 | uint8_t *iv = in_buf; 180 | uint8_t *mac = iv + SGX_AESGCM_IV_SIZE; 181 | uint8_t *enc_data = mac + SGX_AESGCM_MAC_SIZE; 182 | uint32_t enc_data_size = in_buf_len- SGX_AESGCM_IV_SIZE - SGX_AESGCM_MAC_SIZE; 183 | 184 | ctx = EVP_CIPHER_CTX_new(); 185 | /* Select cipher */ 186 | EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL); 187 | /* Specify key and IV */ 188 | EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv); 189 | /* Decrypt plaintext */ 190 | EVP_DecryptUpdate(ctx, out_buf, &tmp_len, enc_data, enc_data_size); 191 | /* Output decrypted block */ 192 | /* Set expected tag value. */ 193 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, SGX_AESGCM_MAC_SIZE, 194 | (void *) mac); 195 | /* Finalise: note get no output for GCM */ 196 | rv = EVP_DecryptFinal_ex(ctx, out_buf, &tmp_len); 197 | 198 | /* Check return value */ 199 | EVP_CIPHER_CTX_free(ctx); 200 | if (rv <= 0) { 201 | ocall_print_string("Decrypt Error\n"); 202 | } 203 | return SGX_SUCCESS; 204 | } 205 | 206 | void ecall_init_openssl() { 207 | /* Initialize OpenSSL crypto */ 208 | OPENSSL_init_crypto(0, NULL); 209 | } 210 | 211 | 212 | -------------------------------------------------------------------------------- /trusted/enclave.edl: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Licensed Materials - Property of IBM 4 | * 5 | * Copyright IBM Corp. 2017, 2017 All Rights Reserved 6 | * 7 | * US Government Users Restricted Rights - Use, duplication or 8 | * disclosure restricted by GSA ADP Schedule Contract with 9 | * IBM Corp. 10 | */ 11 | 12 | enclave { 13 | from "sgx_tsgxssl.edl" import *; 14 | 15 | trusted { 16 | public sgx_status_t ecall_sgxssl_encrypt([user_check] uint8_t* in_buf, 17 | uint32_t in_buf_len, 18 | [user_check] uint8_t* out_buf, 19 | uint32_t out_buf_len); 20 | public sgx_status_t ecall_sgxssl_decrypt( 21 | [user_check] uint8_t* in_buf, 22 | uint32_t in_buf_len, 23 | [user_check] uint8_t* out_buf, 24 | uint32_t out_buf_len); 25 | public sgx_status_t ecall_sgxsdk_encrypt([user_check] uint8_t* in_buf, 26 | uint32_t in_buf_len, 27 | [user_check] uint8_t* out_buf, 28 | uint32_t out_buf_len); 29 | public sgx_status_t ecall_sgxsdk_decrypt( 30 | [user_check] uint8_t* in_buf, 31 | uint32_t in_buf_len, 32 | [user_check] uint8_t* out_buf, 33 | uint32_t out_buf_len); 34 | public void ecall_init_openssl(); 35 | }; 36 | 37 | 38 | untrusted { 39 | void ocall_print_string([in, string] const char *str); 40 | }; 41 | 42 | }; 43 | -------------------------------------------------------------------------------- /trusted/enclave.lds: -------------------------------------------------------------------------------- 1 | enclave.so 2 | { 3 | global: 4 | g_global_data_sim; 5 | g_global_data; 6 | enclave_entry; 7 | local: 8 | *; 9 | }; 10 | -------------------------------------------------------------------------------- /trusted/enclave_private.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIG4wIBAAKCAYEA0MvI9NpdP4GEqCvtlJQv00OybzTXzxBhPu/257VYt9cYw/ph 3 | BN1WRyxBBcrZs15xmcvlb3xNmFGWs4w5oUgrFBNgi6g+CUOCsj0cM8xw7P/y3K0H 4 | XaZUf+T3CXCp8NvlkZHzfdWAFA5lGGR9g6kmuk7SojE3h87Zm1KjPU/PvAe+BaMU 5 | trlRr4gPNVnu19Vho60xwuswPxfl/pBFUIk7qWEUR3l2hiqWMeLgf3Ays/WSnkXA 6 | uijwPt5g0hxsgIlyDrI3jKbf0zkFB56jvPwSykfU8aw4Gkbo5qSZxUAKnwH2L8Uf 7 | yM6inBaaYtM79icRwsu45Yt6X0GAt7CSb/1TKBrnm5exmK1sug3YSQ/YuK1FYawU 8 | vIaDD0YfzOndTNVBewA+Hr5xNPvqGJoRKHuGbyu2lI9jrKYpVxQWsmx38wnxF6kE 9 | zX6N4m7KZiLeLpDdBVQtLuOzIdIE4wT3t/ckeqElxO/1Ut9bj765GcTTrYwMKHRw 10 | ukWIH7ZtHtAjj0KzAgEDAoIBgQCLMoX4kZN/q63Fcp5jDXU3gnb0zeU0tZYp9U9F 11 | I5B6j2XX/ECt6OQvctYD3JEiPvZmh+5KUt5li7nNCCZrhXINYkBdGtQGLQHMKL13 12 | 3aCd//c9yK+TxDhVQ09boHFLPUO2YUz+jlVitENlmFOtG28m3zcWy3paieZnjGzT 13 | iop9Wn6ubLh50OEfsAojkUnlOOvCc3aB8iAqD+6ptYOLBifGQLgvpk8EHGQhQer/ 14 | oCHNTmG+2SsmxfV/Pus2vZ2rBkrUbZU0hwrnvKOIPhnt3Qwtmx9xsC67jF+MpWko 15 | UisJXC27FAGz2gpIGMhBp35HEppwG9hhCuMQdK2g62bvweyr1tC4qOVdQrKvhksN 16 | r6CMjS9eSXvmWdF7lU4oxStN0V56/LICSIsLbggUaxTPKhAVEgfTSqwEJoQuFA3Q 17 | 4GmgTydPhcRH1L/lhbWJqZQm7V1Gt+5i5J6iATD32uNQQ2iZi5GsUhr+jZC+WlE5 18 | 6lS813cRNiaK52HIk62bG7IXOksCgcEA+6RxZhQ5GaCPYZNsk7TqxqsKopXKoYAr 19 | 2R4KWuexJTd+1kcNMk0ETX8OSgpY2cYL2uPFWmdutxPpLfpr8S2u92Da/Wxs70Ti 20 | QSb0426ybTmnS5L7nOnGOHiddXILhW175liAszTeoR7nQ6vpr9YjfcnrXiB8bKIm 21 | akft2DQoxrBPzEe9tA8gfkyDTsSG2j7kncSbvYRtkKcJOmmypotVU6uhRPSrSXCc 22 | J59uBQkg6Bk4CKA1mz8ctG07MluFY0/ZAoHBANRpZlfIFl39gFmuEER7lb80GySO 23 | J190LbqOca3dGOvAMsDgEAi6juJyX7ZNpbHFHj++LvmTtw9+kxhVDBcswS7304kt 24 | 7J2EfnGdctEZtXif1wiq30YWAp1tjRpQENKtt9wssmgcwgK39rZNiEHmStHGv3l+ 25 | 5TnKPKeuFCDnsLvi5lQYoK2wTYvZtsjf+Rnt7H17q90IV54pMjTS8BkGskCkKf2A 26 | IYuaZkqX0T3cM6ovoYYDAU6rWL5rrYPLEwkbawKBwQCnwvZEDXtmawpBDPMNI0cv 27 | HLHBuTHBAB07aVw8mnYYz6nkL14hiK2I/17cBuXmhAfnQoORmknPYptz/Ef2HnSk 28 | 6zyo8vNKLewrb03s9Hbze8TdDKe98S7QUGj49rJY86fu5asiIz8WFJotHUZ1OWz+ 29 | hpzpav2dwW7xhUk6zXCEdYqIL9PNX2r+3azfLa88Ke2+gxJ+WEkLGgYm8SHEXOON 30 | HRYt+HIw9b1vv56uBhXwENAFwCO81L3Nnid2565CNTsCgcEAjZuZj9q5k/5VkR61 31 | gv0Of3gSGF7E6k1z0bRLyT4QnSrMgJVgBdG0lvbqeYkZIS4UKn7J+7fPX6m3ZY4I 32 | D3MrdKU3sMlIaQL+9mj3NhEjpb/ksHHqLrlXE55eEYq14cklPXMhmr3WrHqkeYkF 33 | gUQx4S8qUP9De9wob8liwJp10pdEOBBrHnWJB+Z52z/7Zp6dqP0dPgWPvsYheIyg 34 | EK8hgG1xU6rBB7xEMbqLfpLNHB/BBAIA3xzl1EfJAodiBhJHAoHAeTS2znDHYayI 35 | TvK86tBAPVORiBVTSdRUONdGF3dipo24hyeyrI5MtiOoMc3sKWXnSTkDQWa3WiPx 36 | qStBmmO/SbGTuz7T6+oOwGeMiYzYBe87Ayn8Y0KYYshFikieJbGusHjUlIGmCVPy 37 | UHrDMYGwFGUGBwW47gBsnZa+YPHtxWCPDe/U80et2Trx0RXJJQPmupAVMSiJWObI 38 | 9k5gRU+xDqkHanyD1gkGGwhFTUNX94EJEOdQEWw3hxLnVtePoke/ 39 | -----END RSA PRIVATE KEY----- 40 | -------------------------------------------------------------------------------- /untrusted/app.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Licensed Materials - Property of IBM 4 | * 5 | * Copyright IBM Corp. 2017, 2017 All Rights Reserved 6 | * 7 | * US Government Users Restricted Rights - Use, duplication or 8 | * disclosure restricted by GSA ADP Schedule Contract with 9 | * IBM Corp. 10 | */ 11 | 12 | 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "sgx_eid.h" 27 | #include "sgx_urts.h" 28 | #include "sgx_trts.h" 29 | 30 | #include "enclave_u.h" 31 | 32 | #define ENCLAVE_PATH "enclave.signed.so" 33 | 34 | #define AESGCM_IV_SIZE 12 35 | #define AESGCM_MAC_SIZE 16 36 | 37 | #define WITH_DECRYPT 0 38 | 39 | void openssl_encrypt(uint8_t *input_buf, uint32_t input_size, uint8_t *output_buf, uint32_t output_size); 40 | void openssl_decrypt(uint8_t *input_buf, uint32_t input_size, uint8_t *output_buf, uint32_t output_size); 41 | 42 | #define NUM_OF_TRUSTED_ENCRYPT_LIBS 2 43 | typedef sgx_status_t (*ecall_type)(sgx_enclave_id_t, sgx_status_t*, uint8_t*, uint32_t, uint8_t*, uint32_t); 44 | ecall_type encrypt_ecalls[NUM_OF_TRUSTED_ENCRYPT_LIBS] = { 45 | ecall_sgxsdk_encrypt, 46 | ecall_sgxssl_encrypt 47 | }; 48 | 49 | ecall_type decrypt_ecalls[NUM_OF_TRUSTED_ENCRYPT_LIBS] = { 50 | ecall_sgxsdk_decrypt, 51 | ecall_sgxssl_decrypt 52 | }; 53 | const char *trusted_encrypt_lib_names[NUM_OF_TRUSTED_ENCRYPT_LIBS] = { 54 | "intel-sgxsdk", 55 | "intel-sgxssl" 56 | }; 57 | 58 | 59 | #define NUM_OF_UNTRUSTED_ENCRYPT_LIBS 1 60 | typedef void (*untrusted_func_type)(uint8_t*, uint32_t, uint8_t*, uint32_t); 61 | untrusted_func_type encrypt_funcs[NUM_OF_UNTRUSTED_ENCRYPT_LIBS] = { 62 | openssl_encrypt 63 | }; 64 | untrusted_func_type decrypt_funcs[NUM_OF_UNTRUSTED_ENCRYPT_LIBS] = { 65 | openssl_decrypt 66 | }; 67 | const char *untrusted_encrypt_lib_names[NUM_OF_UNTRUSTED_ENCRYPT_LIBS] = { 68 | "openssl" 69 | }; 70 | 71 | #define NUM_OF_TRUSTED_LIBS NUM_OF_TRUSTED_ENCRYPT_LIBS 72 | #define NUM_OF_UNTRUSTED_LIBS NUM_OF_UNTRUSTED_ENCRYPT_LIBS 73 | 74 | /* OCall functions */ 75 | void ocall_print_string(const char *str) 76 | { 77 | /* Proxy/Bridge will check the length and null-terminate 78 | * the input string to prevent buffer overflow. 79 | */ 80 | printf("%s", str); 81 | } 82 | 83 | bool create_enclave(sgx_enclave_id_t &enclave_id, const char *so_path) { 84 | int launch_token_update = 0; 85 | sgx_launch_token_t launch_token = {0}; 86 | int ret = 0; 87 | 88 | memset(&launch_token, 0, sizeof(sgx_launch_token_t)); 89 | 90 | ret = sgx_create_enclave(so_path, 91 | SGX_DEBUG_FLAG, 92 | &launch_token, 93 | &launch_token_update, 94 | &enclave_id, NULL); 95 | 96 | if (SGX_SUCCESS != ret) { 97 | printf("Error: Failed to create enclave. ret = 0x%x\n", ret); 98 | return false; 99 | } 100 | else { 101 | printf("Successfully created SGX enclave.\n"); 102 | } 103 | 104 | return true; 105 | } 106 | 107 | 108 | 109 | void openssl_encrypt(uint8_t *input_buf, uint32_t input_size, uint8_t *output_buf, uint32_t output_size) 110 | { 111 | 112 | EVP_CIPHER_CTX *ctx = NULL; 113 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 114 | uint8_t *iv = output_buf; 115 | uint8_t *mac = iv + AESGCM_IV_SIZE; 116 | uint8_t *enc_data = mac + AESGCM_MAC_SIZE; 117 | 118 | /* Set iv = 0 only for tests */ 119 | memset((void *) iv, 0, AESGCM_IV_SIZE); 120 | 121 | int tmp_len = 0; 122 | ctx = EVP_CIPHER_CTX_new(); 123 | /* Set cipher type and mode */ 124 | EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL); 125 | /* Initialise key and IV */ 126 | EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv); 127 | /* Encrypt plaintext */ 128 | EVP_EncryptUpdate(ctx, enc_data, &tmp_len, input_buf, input_size); 129 | if (tmp_len != input_size) { 130 | printf("encrypt Error. tmp_len = %d, input_size = %d\n", tmp_len, input_size); 131 | } 132 | /* Finalise: note get no output for GCM */ 133 | EVP_EncryptFinal_ex(ctx, enc_data, &tmp_len); 134 | /* Get tag */ 135 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AESGCM_MAC_SIZE, (uint8_t *) mac); 136 | /* Output tag */ 137 | EVP_CIPHER_CTX_free(ctx); 138 | 139 | } 140 | 141 | void openssl_decrypt(uint8_t *input_buf, uint32_t input_size, uint8_t *output_buf, uint32_t output_size) 142 | { 143 | EVP_CIPHER_CTX *ctx = NULL; 144 | int rv = 0; 145 | int tmp_len = 0; 146 | uint8_t key[16] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; 147 | uint8_t *iv = input_buf; 148 | uint8_t *mac = iv + AESGCM_IV_SIZE; 149 | uint8_t *enc_data = mac + AESGCM_MAC_SIZE; 150 | uint32_t enc_data_size = input_size- AESGCM_IV_SIZE - AESGCM_MAC_SIZE; 151 | 152 | ctx = EVP_CIPHER_CTX_new(); 153 | /* Select cipher */ 154 | EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), NULL, NULL, NULL); 155 | /* Specify key and IV */ 156 | EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv); 157 | /* Decrypt plaintext */ 158 | EVP_DecryptUpdate(ctx, output_buf, &tmp_len, enc_data, enc_data_size); 159 | /* Output decrypted block */ 160 | /* Set expected tag value. */ 161 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, AESGCM_MAC_SIZE, 162 | (void *) mac); 163 | /* Finalise: note get no output for GCM */ 164 | rv = EVP_DecryptFinal_ex(ctx, output_buf, &tmp_len); 165 | 166 | /* Check return value */ 167 | EVP_CIPHER_CTX_free(ctx); 168 | if (rv <= 0) { 169 | printf("decrypt Error. rv <= 0\n"); 170 | } 171 | } 172 | 173 | 174 | uint64_t get_timestamp_in_microsec() { 175 | struct timeval tv; 176 | gettimeofday(&tv,NULL); 177 | return tv.tv_sec*(uint64_t)1000000+tv.tv_usec; 178 | } 179 | 180 | 181 | bool run_benchmark(sgx_enclave_id_t enclave_id) { 182 | const int min_size_pow = 4; // smallest message size is 2^{min_size_pow} bytes. 183 | const int max_size_pow = 24; // largest message size is 2^{max_size_pow} bytes. 184 | const double size_pow_jump = 0.5; // The sizes we tests start from min_size_pow and ends at max_size_pow, where the jumps (in the power) are of size_pow_jump. 185 | const int repetitions_per_test = 10; // Number of times we repeat the operation per test (in order to avoid inaccurate measures). 186 | const int tests_per_size = 15; // Number of tests we do per size (and take the average as the final result). 187 | FILE* urandom = NULL; 188 | FILE* csv = NULL; 189 | const int max_file_size = (int) pow(2,max_size_pow); 190 | sgx_status_t status = SGX_SUCCESS; 191 | int ret = 0; 192 | bool retval = false; 193 | uint8_t *input_buf = NULL; 194 | uint8_t *aux_buf = NULL; 195 | uint8_t *output_buf = NULL; 196 | uint8_t *random_buf = NULL; 197 | 198 | urandom = fopen("/dev/urandom", "rb"); 199 | if (!urandom) { 200 | printf("failed to open /dev/urandom\n"); 201 | goto cleanup; 202 | } 203 | 204 | csv = fopen("output.csv", "w"); 205 | if (!urandom) { 206 | printf("failed to open urandom\n"); 207 | goto cleanup; 208 | } 209 | input_buf = (uint8_t *) calloc(1, max_file_size); 210 | if (!input_buf) { 211 | printf("failed to allocate input_buf\n"); 212 | goto cleanup; 213 | } 214 | aux_buf = (uint8_t *) calloc(1, max_file_size); 215 | if (!aux_buf) { 216 | printf("failed to allocate aux_buf\n"); 217 | goto cleanup; 218 | } 219 | output_buf = (uint8_t *) calloc(AESGCM_IV_SIZE + AESGCM_MAC_SIZE + max_file_size, 1); 220 | if (!output_buf) { 221 | printf("failed to allocate output_buf\n"); 222 | goto cleanup; 223 | } 224 | 225 | 226 | for (double size_pow = min_size_pow; size_pow <= max_size_pow; size_pow += size_pow_jump) { 227 | int size = (int) ceil(pow(2,size_pow)); 228 | int input_size = size; 229 | int output_size = AESGCM_IV_SIZE + AESGCM_MAC_SIZE + size; 230 | uint64_t sum_of_diffs_trusted[NUM_OF_TRUSTED_LIBS] = {0}; 231 | uint64_t sum_of_diffs_untrusted[NUM_OF_UNTRUSTED_LIBS] = {0}; 232 | uint64_t before_timestamp = 0; 233 | uint64_t after_timestamp = 0; 234 | for (int test = 0; test < tests_per_size; test++) { 235 | size_t num_of_bytes = fread(input_buf, 1, size, urandom); 236 | if (num_of_bytes < size) { 237 | printf("fread failed! num_of_bytes = %lu\n", num_of_bytes); 238 | goto cleanup; 239 | } 240 | 241 | ///////////////////////// Enclave (trusted) ////////////////////////////////////////////// 242 | for (int lib=0; lib < NUM_OF_TRUSTED_LIBS; ++lib) { 243 | before_timestamp = get_timestamp_in_microsec(); 244 | //////////////////////////////////////////////// 245 | for (int i=0; i 0) { 325 | strcat(untrusted_libs_names,","); 326 | } 327 | strcat(untrusted_libs_names, untrusted_encrypt_lib_names[lib]); 328 | } 329 | 330 | char trusted_libs_names[NUM_OF_TRUSTED_LIBS*100] = {0}; 331 | for (int lib = 0; lib 0) { 333 | strcat(trusted_libs_names,","); 334 | } 335 | strcat(trusted_libs_names, trusted_encrypt_lib_names[lib]); 336 | } 337 | 338 | printf("log2(Size_in_Bytes): %0.1lf. Untrusted Throughput: (%s) = (%s) MB/s, Trusted Throughput: (%s) = (%s) MB/s\n", size_pow, untrusted_libs_names, untrusted_throughput_str, trusted_libs_names, trusted_throughput_str); 339 | } 340 | retval = true; 341 | 342 | cleanup: 343 | if (urandom != NULL) { 344 | fclose(urandom); 345 | } 346 | if (csv != NULL) { 347 | fclose(csv); 348 | } 349 | if (input_buf != NULL) { 350 | free(input_buf); 351 | } 352 | if (output_buf != NULL) { 353 | free(output_buf); 354 | } 355 | if (aux_buf != NULL) { 356 | free(aux_buf); 357 | } 358 | return retval; 359 | } 360 | 361 | 362 | int main(int argc, char* argv[]) 363 | { 364 | bool retval = false; 365 | sgx_enclave_id_t enclave_id = 0; 366 | sgx_status_t status = SGX_SUCCESS; 367 | 368 | 369 | retval = create_enclave(enclave_id, ENCLAVE_PATH); 370 | if (!retval) { 371 | printf("Enclave initialization has Failed!\n"); 372 | return -1; 373 | } 374 | 375 | ecall_init_openssl(enclave_id); 376 | 377 | retval = run_benchmark(enclave_id); 378 | if (!retval) { 379 | printf("Benchmark test has Failed\n"); 380 | return -1; 381 | } 382 | return 0; 383 | } 384 | 385 | --------------------------------------------------------------------------------