The native format for SGX enclaves is the SGX stream (SGXS) format. Your compiler probably doesn't output binaries in that format, so they must be converted. In addition, your SGX enclaves must be signed. Then, to run your enclave applications, a runner program must be executed with the SGXS and signature as input. In development, these steps are done automatically, and a default runner is provided. For deployment, these steps can and should be customized.
The Rust compiler (normally invoked via Cargo) produces a binary in the ELF
format. To run it, it must be converted into the processor's native enclave format,
SGXS. This can be done with
ftxsgx-elf2sgxs --help for
more usage information.
ftxsgx-elf2sgxs myapp --heap-size 0x20000 --stack-size 0x20000 --threads 10 --debug
At the very least, you must specify the stack size (
-S) and heap size (
for your enclave. You should specify the smallest size that works for your
application. Specifying a size that's too small will result in an enclave panic
when the stack or heap is full, and specifying a size that's too large will
increase enclave load time and may worsen overall performance.
Another useful parameter to tweak is the number of threads (
Creating an unsized enclave (advanced)
ftxsgx-elf2sgxs will create a sized SGXS file. The enhanced SGXS
format can also represent unsized enclaves. Data can be appended to an
unsized SGXS file using
sgxs-append, which will turn it into a sized SGXS
file. Only a sized SGXS file can be signed. You can create an unsized SGXS file
All enclaves must be signed prior to running. The signing key is a security principal in remote attestation and when using MRSIGNER-based sealing. Also, on platforms without Flexible Launch Control, the signing key may determine which enclaves can be run in production mode.
You can generate a new signing key with OpenSSL:
openssl genrsa -3 3072 > my_key.pem
Your production signing key is valuable and should be stored securely, for example in SDKMS.
To sign an enclave, use
sgxs-sign. Make sure to specify
sgxs-sign --help for more usage information.
sgxs-sign --key my_key.pem myapp.sgxs myapp.sig -d --xfrm 7/0 --isvprodid 0 --isvsvn 0
If you don't have
sgxs-sign yet, you can install it from crates.io:
cargo install sgxs-tools
An enclave needs a runner to execute and to interact with the outside world.
Any runner that implements the Fortanix SGX ABI can run any Fortanix Rust EDP
enclave. A default runner
ftxsgx-runner is provided.
The runner will look for a signature file ending in
.sig next to the SGXS
file. If it can't find it, a dummy signature is generated using a
publicly-known dummy key. MRSIGNER-based sealing should not be used when using
a dummy signature.
You can easily implement your own runner using the