Lib.rs

Hardware supportSGXS
#sgx-enclave #sgx #enclave #intel-sgx #sgxs #sgxs-sign #sgxs-append

macro bin sgxs-tools

Utilities for working with the SGX stream format

by Mohsen Zohrevandi, fortanix and 3 contributors

12 releases

0.8.6 Aug 1, 2022
0.8.5 Dec 3, 2021
0.8.3 Oct 6, 2020
0.8.2 May 20, 2020
0.5.0 Jul 30, 2016

#1736 in Hardware support

Download history 13/week @ 2024-06-13 21/week @ 2024-06-20 21/week @ 2024-06-27 20/week @ 2024-07-04 50/week @ 2024-07-11 46/week @ 2024-07-18 54/week @ 2024-07-25 58/week @ 2024-08-01 73/week @ 2024-08-08 34/week @ 2024-08-15 43/week @ 2024-08-22 72/week @ 2024-08-29 82/week @ 2024-09-05 45/week @ 2024-09-12 56/week @ 2024-09-19 40/week @ 2024-09-26

231 downloads per month

MPL-2.0 and maybe GPL-2.0+

530KB
12K SLoC

SGXS utilities

Compiles with Rust nightly.

pe2sgxs

pe2sgxs converts enclaves in Intel's PE format to SGXS format, optionally extracting the signature. You can then use the SGXS file with the other SGXS utilities.

sgx-debug-read

sgx-debug-read tries to read memory in the EPC. This will only succeed for regular and TCS pages that are part of debug enclaves. The contents of the memory (or zeroes for inaccessible memory) will be output to stdout. Errors will be printed to stderr.

sgxs-build

sgxs-build generates an SGXS by concatenating raw binary files specified on the command line. For example, to generate the simplest valid enclave possible:

$ as -k
mov %rcx,%rbx
mov $0x4,%eax
enclu
^D
$ objcopy -O binary -j .text a.out
$ sgxs-build rx=a.out tcs=nssa:1 > a.sgxs
$ sgxs-info summary a.sgxs
   0- fff Reg  r-x  (data) meas=all
1000-1fff Tcs  ---  (data) meas=all
2000-2fff Reg  rw- (empty) meas=all
3000-3fff (unmapped)

Input files will be page-aligned.

sgxs-info

sgxs-info parses SGXS files for further analysis. It currently supports the following commands:

list-all

The most verbose listing format, which lists all the individual commands contained in the input file, including their parameters. For EEXTEND commands, data is either (empty) if the data is all zeroes, [byte]* if the data is all the same value byte, or (data) in any other case.

This is the only command that can read non-canonical SGXS files.

list-pages

This listing format lists all commands, except EEXTEND commands. The EEXTEND information is consolidated in the preceding EADD command. The data is displayed in the same format as in the list-all command. The measured field indicates which part of the page are being measured by an EEXTEND command: all, partial or none.

summary

This command gives a summarized overview of all the different sections in memory. The entire memory indicated by the enclave size is described. Consecutive pages that have the same type, flags, data and measurement fields are consolidated into a single line. Unmapped pages are indicated as such. Characteristics of TCS pages are displayed.

dump-mem

This command dumps the memory of the enclave as it would be seen before executing an EENTER instruction. Unmapped pages in between sections are filled with zeroes. Unmapped pages at the end are truncated.

sgxs-load

sgxs-load loads an SGXS file into the EPC. Currently, only the linux ioctl driver is supported. You must also provide a signature and initialization token.

sgxs-sign

sgxs-sign generates a SIGSTRUCT given an SGX stream and user-specified parameters. You can generate a fresh private key using the openssl genrsa command like so:

openssl genrsa -3 3072 > private.pem

Dependencies

~30–41MB
~727K SLoC