FR: Separate BoringSSL interface to have a minimal trusted interface internally to an enclave #8
Comments
|
Will you please elaborate on what you mean by "allocated inside enclaves"? Do you mean actual memory allocation, the creation of keys from a random source, or how one gets secret keys into an enclave from an untrusted environment? |
|
Yep, more specifically, I'm curious to know if private keys, session keys used to communicate with clients, and all the code related to the TLS protocol implementation (e.g. |
|
Every instance of memory allocation, either via the stack, malloc, or new, are all internal to enclaves. The enclave heap is entirely within the enclave memory, and the BoringSSL code is statically linked into Asylo enclave object files, so everything is within the enclave. It is very awkward to write memory outside of the enclave. The only interface that does it is our boundary-crossing code. You essentially have to cast an int passed in from the untrusted environment to a void* in order to start writing to untrusted memory. |
|
Thanks for the clarification. This is actually convenient. IMO it would be very useful to have a trusted BoringSSL library in which only sensitive code ( |
|
Okay, yes. Asylo currently doesn't have a lightweight way to call out of the enclave to user-defined interfaces/library wrappers. You can achieve this by using gRPC to make RPCs out of the enclave. This is an interesting offering for minimizing the TCB, so we'll keep it in mind for our roadmap. I'll keep this issue open and edit the title to track this feature request. |
deeglaze
changed the title
I wonder if the current
BoringSSLwrapper is actually benefiting from the trusted hardware (see https://github.com/google/channel-id-enclave/tree/master/boringssl). Simply put, are the secrets (private key, session key, etc.) allocated inside enclaves?The text was updated successfully, but these errors were encountered: