12 releases

0.8.6 Aug 1, 2022
0.8.5 Dec 3, 2021
0.8.3 Oct 6, 2020
0.8.2 May 20, 2020
0.5.0 Jul 30, 2016

#945 in Hardware support

Download history 61/week @ 2023-10-14 34/week @ 2023-10-21 51/week @ 2023-10-28 55/week @ 2023-11-04 31/week @ 2023-11-11 49/week @ 2023-11-18 71/week @ 2023-11-25 90/week @ 2023-12-02 55/week @ 2023-12-09 42/week @ 2023-12-16 38/week @ 2023-12-23 16/week @ 2023-12-30 42/week @ 2024-01-06 68/week @ 2024-01-13 49/week @ 2024-01-20 52/week @ 2024-01-27

213 downloads per month

MPL-2.0 and maybe GPL-2.0+

12K SLoC

SGXS utilities

Compiles with Rust nightly.


pe2sgxs converts enclaves in Intel's PE format to SGXS format, optionally extracting the signature. You can then use the SGXS file with the other SGXS utilities.


sgx-debug-read tries to read memory in the EPC. This will only succeed for regular and TCS pages that are part of debug enclaves. The contents of the memory (or zeroes for inaccessible memory) will be output to stdout. Errors will be printed to stderr.


sgxs-build generates an SGXS by concatenating raw binary files specified on the command line. For example, to generate the simplest valid enclave possible:

$ as -k
mov %rcx,%rbx
mov $0x4,%eax
$ objcopy -O binary -j .text a.out
$ sgxs-build rx=a.out tcs=nssa:1 > a.sgxs
$ sgxs-info summary a.sgxs
   0- fff Reg  r-x  (data) meas=all
1000-1fff Tcs  ---  (data) meas=all
2000-2fff Reg  rw- (empty) meas=all
3000-3fff (unmapped)

Input files will be page-aligned.


sgxs-info parses SGXS files for further analysis. It currently supports the following commands:


The most verbose listing format, which lists all the individual commands contained in the input file, including their parameters. For EEXTEND commands, data is either (empty) if the data is all zeroes, [byte]* if the data is all the same value byte, or (data) in any other case.

This is the only command that can read non-canonical SGXS files.


This listing format lists all commands, except EEXTEND commands. The EEXTEND information is consolidated in the preceding EADD command. The data is displayed in the same format as in the list-all command. The measured field indicates which part of the page are being measured by an EEXTEND command: all, partial or none.


This command gives a summarized overview of all the different sections in memory. The entire memory indicated by the enclave size is described. Consecutive pages that have the same type, flags, data and measurement fields are consolidated into a single line. Unmapped pages are indicated as such. Characteristics of TCS pages are displayed.


This command dumps the memory of the enclave as it would be seen before executing an EENTER instruction. Unmapped pages in between sections are filled with zeroes. Unmapped pages at the end are truncated.


sgxs-load loads an SGXS file into the EPC. Currently, only the linux ioctl driver is supported. You must also provide a signature and initialization token.


sgxs-sign generates a SIGSTRUCT given an SGX stream and user-specified parameters. You can generate a fresh private key using the openssl genrsa command like so:

openssl genrsa -3 3072 > private.pem


~668K SLoC