Join our public slack channel for support, discussions and more...


The native format for SGX enclaves is the SGX stream (SGXS) format. Your compiler probably doesn't output binaries in that format, so they must be converted. In addition, your SGX enclaves must be signed. Then, to run your enclave applications, a runner program must be executed with the SGXS and signature as input. In development, these steps are done automatically, and a default runner is provided. For deployment, these steps can and should be customized.

SGXS conversion

The Rust compiler (normally invoked via Cargo) produces a binary in the ELF format. To run it, it must be converted into the processor's native enclave format, SGXS. This can be done with ftxsgx-elf2sgxs. Run ftxsgx-elf2sgxs --help for more usage information.

ftxsgx-elf2sgxs myapp --heap-size 0x20000 --stack-size 0x20000 --threads 10 --debug

Conversion parameters

At the very least, you must specify the stack size (-S) and heap size (-H) for your enclave. You should specify the smallest size that works for your application. Specifying a size that's too small will result in an enclave panic when the stack or heap is full, and specifying a size that's too large will increase enclave load time and may worsen overall performance.

Another useful parameter to tweak is the number of threads (-t).

Creating an unsized enclave (advanced)

Normally, ftxsgx-elf2sgxs will create a sized SGXS file. The enhanced SGXS format can also represent unsized enclaves. Data can be appended to an unsized SGXS file using sgxs-append, which will turn it into a sized SGXS file. Only a sized SGXS file can be signed. You can create an unsized SGXS file with ftxsgx-elf2sgxs --unsized.


All enclaves must be signed prior to running. The signing key is a security principal in remote attestation and when using MRSIGNER-based sealing. Also, on platforms without Flexible Launch Control, the signing key may determine which enclaves can be run in production mode.

You can generate a new signing key with OpenSSL:

openssl genrsa -3 3072 > my_key.pem

Your production signing key is valuable and should be stored securely, for example in SDKMS.

To sign an enclave, use sgxs-sign. Make sure to specify --xfrm, --isvprodid, and --isvsvn. See sgxs-sign --help for more usage information.

sgxs-sign --key my_key.pem myapp.sgxs myapp.sig -d --xfrm 7/0 --isvprodid 0 --isvsvn 0

If you don't have sgxs-sign yet, you can install it from

cargo install sgxs-tools


An enclave needs a runner to execute and to interact with the outside world. Any runner that implements the Fortanix SGX ABI can run any Fortanix Rust EDP enclave. A default runner ftxsgx-runner is provided.

ftxsgx-runner myapp.sgxs

The runner will look for a signature file ending in .sig next to the SGXS file. If it can't find it, a dummy signature is generated using a publicly-known dummy key. MRSIGNER-based sealing should not be used when using a dummy signature.

You can easily implement your own runner using the enclave-runner crate.