Intel® Software Guard Extensions SSL Developer Guide Intel(R) Library Linux
User Manual: Pdf
Open the PDF directly: View PDF .
Page Count: 10
Download | |
Open PDF In Browser | View PDF |
Intel® Software Guard Extensions SSL (Intel® SGX SSL) Library Linux Developer Guide Legal Information No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request. Intel technologies features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at Intel.com, or from the OEM or retailer. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting www.intel.com/design/literature.htm. Intel, the Intel logo, Xeon, and Xeon Phi are trademarks of Intel Corporation in the U.S. and/or other countries. Optimization Notice Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Notice revision #20110804 * Other names and brands may be claimed as the property of others. Copyright © 2018 Intel Corporation. All rights reserved. Intel® Software Guard Extensions SSL Table of Contents Legal Information ........................................................................................................................................................... 2 1. Package Content ......................................................................................................................................................... 4 2. Using Intel® SGX SSL Library ................................................................................................................................... 5 3. Supported APIs ........................................................................................................................................................... 6 4. Appendix A: Supported APIs ................................................................................................................................... 9 09/11/2017 Page 3 of 10 Intel® Software Guard Extensions SSL 1. Package Content Intel® SGX SSL library is released as a component of the Intel® Software Guard Extensions (Intel® SGX) SDK. Private release package can be provided by request for evaluation purposes. The release package contains relevant include files (both header and edl files), libraries and relevant documentation. The following table lists the libraries provided in the release package: Library Name Description libsgx_tsgxssl_crypto.a Intel® SGX SSL* cryptographic library, built based on OpenSSL 1.1.0 crypto library libsgx_tsgxssl.a Trusted library, providing implementation for missing system APIs required by Intel® SGX SSL cryptographic library libsgx_usgxssl.a Untrusted library, providing implementation for system calls outside an enclave required to resolve external dependencies of Intel® SGX SSL* cryptographic and TLS libraries. All the libraries are built for Linux* configurations. Intel® SGX SSL* cryptographic library is OpenSSL libraries built with a few changes needed to work inside an enclave. 09/11/2017 Page 4 of 10 Intel® Software Guard Extensions SSL 2. Using Intel® Software Guard Extensions SSL Library If you already have a basic application and an enclave project, to use the Intel® SGX SSL library in an Intel® Software Guard Extensions (Intel® SGX) application project, follow the listed steps: Use following steps to set up generating proper interface between trusted and untrusted components 1. In your EDL file add: from "sgx_tsgxssl.edl" import *; 2. To the sgx_edger8r command running on your enclave EDL file for generating either trusted or untrusted proxy and bridge routines, add the path to the sgx_tsgxssl.edl with the --search path option In the Enclave project, use the following steps to set up the environment for the Intel® SGX SSL 1. Use –L flag to provide the linker with the path to the trusted Intel® SGX SSL libraries libsgx_tsgxssl_crypto.a and libsgx_tsgxssl.a, with -L$(SGXSSL_TRUSTED_LIB_PATH) 2. Use -Wl,--whole-archive -lsgx_tsgxssl -Wl,--no-whole-archive –lsgx_tsgxssl_crypto –lsgx_tsetjmp to provide the linker with the names of Intel® SGX SSL trusted libraries and the setjmp library which is also needed (comes with Intel® SGX SDK) 3. Use -I compilation flag to specify the path to the Intel® SGX SSL header files, like -I$(SGXSSL_INCLUDE_PATH) 4. The Intel® SGX SSL include path also includes a reduced “pthread.h” file which only have 3 definitions, it is included from openssl/crypto.h. Make sure it is not in the path of your regular application as it may cause compilation errors 5. Include tsgxsslio.h file to avoid error on undeclared FILE symbol. You can do it either directly from your source files, or by using –include "tsgxsslio.h" compiler flag 6. Initialize OpenSSL crypto library by calling OPENSSL_init_crypto(0, NULL). Make sure to initialize before the first call to OpenSSL APIs. In the Application project, use the following steps to set up the environment for the Intel® SGX SSL library: 1. Use –L flag to provide the linker with the path to the untrusted Intel® SGX SSL library libsgx_usgxssl.a, with -L$(SGXSSL_UNTRUSTED_LIB_PATH) 2. Use –lsgx_usgxssl to provide the linker with the names of Intel® SGX SSL untrusted libraries NOTE: In the current Intel® SGX SDK, the release mode does not generate the enclave.signed.so, but rather prepare a signing material because it should be signed in a secure machine that protects the private key. Enclaves signed with single-step signing method using ISV’s test private key can only be launched in debug or prerelease modes. 09/11/2017 Page 5 of 10 Intel® Software Guard Extensions SSL 3. Supported APIs The Intel® SGX SSL Library exposes two different set of APIs: Supported OpenSSL APIs - representing a subset of the OpenSSL APIs supported by the Intel® SGX SSL library. They are fully compliant with unmodified OpenSSL APIs. Other APIs are neither validated, not filtered out. All supported OpenSSL APIs are listed in Appendix A. Manageability APIs are exposed by our trusted library to provide following services: API Description SGXSSLSetPrintToStdoutStderrCB Set callback function to intercept printouts sent by Intel® SGX SSL cryptographic and TLS libraries to stdout/stderr. If not used, the printouts will be silently omitted. SGXSSLGetSgxSSLVersion Get the Intel® SGX SSL library version. SGXSSLSetUnreachableCodePolicy Set unreachable code policy. Unreachable code consists of functions and flows that under our implementation should never be reached. That is why, by default, reaching unreachable code will cause an enclave to be aborted. SGXSSLSetPrintToStdoutStderrCB The SGXSSLSetPrintToStdoutStderrCB function sets callback function to intercept Intel® SGX SSL cryptographic and TLS libraries printouts sent to stdout/stderr . If not used, the printouts will be silently omitted. Syntax void SGXSSLSetPrintToStdoutStderrCB( PRINT_TO_STDOUT_STDERR_CB cb ); Parameters cb [in] Callback function to intercept OpenSSL printouts to stdout/stderr. Return value This function does not return a value. Description The SGXSSLSetPrintToStdoutStderrCB function registers a callback function to intercept Intel® SGX SSL cryptographic and TLS printouts sent to stdout/stderr. If not used, the printouts will be silently omitted. Requirements Header tSgxSSL_api.h Library sgx_tsgxssl.lib 09/11/2017 Page 6 of 10 Intel® Software Guard Extensions SSL SGXSSLGetSgxSSLVersion The SGXSSLGetSgxSSLVersion function returns the Intel® SGX SSL libraries version. Syntax const char* SGXSSLGetSgxSSLVersion( void ); Parameters None Return value This function returns the Intel® SGX SSL libraries version string. Description The SGXSSLGetSgxSSLVersion function returns the Intel® SGX SSL libraries version string. Requirements Header tSgxSSL_api.h Library sgx_tsgxssl.lib SGXSSLSetUnreachableCodePolicy The SGXSSLSetUnreachableCodePolicy function sets unreachable code policy. If not used, reaching unreachable code will cause an enclave to be aborted. Syntax void SGXSSLSetUnreachableCopdePolicy( UnreachableCopdePolicy_t policy ); Parameters policy [in] The valid value is UNREACH_CODE_ABORT_ENCLAVE or UNREACH_CODE_REPORT_ERR_AND_CONTINUE. UNREACH_CODE_ABORT_ENCLAVE value means that reaching unreachable code will cause an enclave to be aborted. This is the default policy, applied by Intel® SGX SSL library. UNREACH_CODE_REPORT_ERR_AND_CONTNUE value means that reaching unreachable code will cause reporting an error through return value and/or setting last error/errno. Return value None. Description The SGXSSLSetUnreachableCodePolicy function sets unreachable code policy. Unreachable code consists of functions and flows that under our implementation should never be reached. Reaching them may indicate that severe error/memory corruption happened. That is why, by default, reaching unreachable code will cause an enclave to be aborted. 09/11/2017 Page 7 of 10 Intel® Software Guard Extensions SSL For customers, which in any case prefer to continue execution, additional mode, reporting an error through return value and/or setting last error/errno, is supported. Requirements Header tSgxSSL_api.h Library sgx_tsgxssl.lib 09/11/2017 Page 8 of 10 Intel® Software Guard Extensions SSL 4. Appendix A: Supported APIs Intel® SGX SSL library supports the following APIs: Purpose Type OpenSSL APIs Digest MD5 EVP_MD_CTX_new SHA-1 EVP_MD_CTX_free SHA-2 (224, 256, 384, 512) EVP_DigestInit_ex EVP_DigestUpdate EVP_DigestFinal_ex EVP_md5 EVP_sha1 EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512 Keyed Hash HMAC HMAC_CTX_init HMAC_CTX_cleanup HMAC_Init_ex HMAC_Update HMAC_Final Public Key RSA 1024, 2048, 4096 EC_KEY_new_by_curve_name Cryptography ECDSA NIST P-256, P-384, P-521 EC_KEY_set_asn1_flag ECDH NIST P-256, P-384, P-521 EC_KEY_free EC_KEY_generate_key RSA_new RSA_free RSA_generate_key_ex RSA_private_decrypt EVP_PKEY_new EVP_PKEY_assign_EC_KEY EVP_PKEY_assign_RSA EVP_PKEY_free EVP_MD_CTX_create EVP_MD_CTX_destroy EVP_SignInit_ex EVP_SignUpdate EVP_SignFinal EVP_VerifyInit_ex EVP_VerifyUpdate EVP_VerifyFinal 09/11/2017 Page 9 of 10 Intel® Software Guard Extensions SSL Symmetric AES-GCM 128, 256 Encryption EVP_CIPHER_CTX_init EVP_CIPHER_CTX_ctrl EVP_CIPHER_CTX_cleanup EVP_CipherInit_ex EVP_CipherUpdate EVP_CipherFinal_ex EVP_aes_128_gcm EVP_aes_256_gcm Other Public key cryptography: RSA, EC BN_new BN_set_word OBJ_txt2nid i2d_PublicKey I2d_PrivateKey RAND_add RAND_seed 09/11/2017 Page 10 of 10
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 10 Language : en-US Tagged PDF : Yes Title : Intel® Software Guard Extensions SSL Developer Guide Author : Intel Corporation Subject : Intel® Software Guard Extensions SSL Keywords : Intel®, Software, Guard, Extensions, SSL, Developer, Guide Creator : Microsoft® Word 2013 Create Date : 2018:01:15 11:27:15+02:00 Modify Date : 2018:01:15 11:27:15+02:00 Producer : Microsoft® Word 2013EXIF Metadata provided by EXIF.tools