This is a scaffold for creating an SGX enclave with Rust. It shows how to build an enclave based on the Automata SGX SDK, which makes it easier for developers to get started with SGX. The project contains the basic guide for the following scenarios:
- Call the code inside the enclave via ECALL
- Call the code outside the enclave via OCALL
- Use libraries inside the enclave
- Generate DCAP attestation report
├── app: The main application │ ├── sgx: Configurations for the enclave │ │ ├── config.xml: Developer defined parameters of the enclave │ │ ├── enclave.edl: Enclave Definition Language file defining the enclave interface │ │ ├── enclave.lds: Linker script for the enclave │ │ └── private.pem: Developer key used to sign the enclave, do not use this key to sign your enclave in production, please use your own key │ ├── src/main.rs: Main entrypoint for the application │ └── build.rs: Builder code used to build the application, you don't need change it ├── enclave: The SGX enclave implementation │ └── lib.rs: Main library file for the enclave implementation ├── mock-lib: A mock library which is called by the enclave via OCALL │ └── lib.rs: Main library file for the mock library implementation
Following the steps below to create your first enclave.
- Modify the
enclave/src/lib.rs
file to add your business logic. You can use other libraries just like writing a normal Rust program. Refer to the usage ofserde_json
as an example. - Update the
app/sgx/enclave.edl
file if you need to change the ECALL interface or add new ECALLs. - Refer to the usage
mock-lib
if you want to use libraries via OCALL. For example, you need to use a library that use instructions not allowed(such as CPUID or GETSEC) in enclave.
Refer to the Automata DCAP Attestation repo for more details about verification of the DCAP attestation.
In order to build the enclave, you need to have a sgx-supported machine.
If you have a machine with SGX support, please check the version of your SGX and DCAP SDK. The latest version supported by Automata SGX SDK can be found here.
If you don't have a machine with SGX support, we recommend you to create a DCsv3
instance in Azure. Please refer to the docker folder for the list of supported systems and create the instance using one of these systems. You can either install the SGX and DCAP SDK manually by following the steps outlined in the Dockerfile, or alternatively, you can use Docker to build and run the enclave directly.
You need to have a sgx-supported machine with SGX and DCAP SDK installed to build the enclave manually.
git clone https://github.com/automata-network/sgx-scaffold.git
cd sgx-scaffold
You can click the Use this template
button to create a new repository.
cargo install cargo-sgx
Once you have installed cargo-sgx
, you can check the help menu to see the available commands.
cargo sgx --help
cargo sgx gen-key app/sgx/private.pem
cargo sgx build
or you can run the enclave directly
cargo sgx run
You can find the executable file in ./target/debug
or ./target/release
directory.
You need to have a sgx-supported machine to build the enclave with docker. Make sure you got the docker and docker-compose installed.
Build image for ubuntu 20.04
$ cd docker/ubuntu-20.04
$ docker compose build
Build image for ubuntu 22.04
$ cd docker/ubuntu-22.04
$ docker compose build
We also have the prebuilt docker image in here
Run image for ubuntu 20.04
$ cd docker/ubuntu-20.04
$ docker compose run sgx-scaffold
Run image for ubuntu 22.04
$ cd docker/ubuntu-22.04
$ docker compose run sgx-scaffold