Some questions about the use of enclave

[DylanWangWQF]

Hi, everyone!
I have a question about the operations inside the enclave.

As far as I know, OpenEnclave currently does not support fstream inside the enclave. So how should we load the file content inside the enclave? (C/C++). And for other functions which are not supported in OpenEnclave? Are there some Docs to introduce these codes?

BTW, are there any Docs to introduce the use of Oblivious Primitives such as oassign(), osort() in secure-XGBoost?

Thank you in advance!

[chester-leung]

Hi @DylanWangWQF, thanks for your interest in our project!

Regarding loading files inside the enclave, we load the host file system module when initializing an enclave, which enables us to call functions like fopen and fread within the enclave.

For some more information on the oblivious primitives we use, please see section 6 of our paper.

[DylanWangWQF]

Many thanks for your help! @chester-leung I will study this and figure out how it works.

[DylanWangWQF]

Hi @chester-leung , Sry for reopening this issue, I have another question.

Now, I want to link the NTL and GMP library inside the enclave. Could you tell me how do you use other libraries inside the enclave in this project?

For the AVX2 instructions in this project (#include <intrinsics/immintrin.h>), can we use it directly inside the enclave? Since I didn't find related docs to introduce it, I'm confusing to understand the mechanism by reading the code.

Thank you in advance!

[chester-leung]

@DylanWangWQF in general, if you want to link other libraries into the enclave, you can link them in CMakeLists.txt. See here for an example of how we linked an external library (spdlog) for usage within the enclave. Some libraries may not be completely compatible to work inside the enclave, e.g. some syscalls aren't supported, so you may have to go in and remove/modify those functions if you don't need them.

My colleague @podcastinator will answer your question about AVX2 instructions.

What is your use case here? Maybe we can work with you to build something if you're willing to contribute back to the open source.

[podcastinator]

Hi @DylanWangWQF, yes, you can use the AVX2 instructions directly inside the enclave. Please see https://github.com/mc2-project/secure-xgboost/blob/master/include/enclave/obl_primitives.h for examples. (You will need to set the CMake flag USE_AVX2 to enable the use of AVX instructions inside the enclave -- this causes the enclave target to be compiled with the requisite -mavx2 compiler flag)

[DylanWangWQF]

@podcastinator
Many thanks for your reply! I will study the use of AVX2 in this project.

@chester-leung
Currently, I'm working on the combination of HElib and OE. As you said, I have to link other libraries and consider the compatibility inside the enclave.

[ryanleh]

@DylanWangWQF Out of curiosity, if you can tell, why are you using homomorphic encryption inside of an enclave? I haven't seen such a use-case before.

[DylanWangWQF]

@ryanleh I'd like to do some pre-computation based on HE outside the enclave. Then decrypt it inside the enclave.

May I ask how can I use the module oe_load_module_host_file_system in my sample? Where is the scource edl api?

[podcastinator]

@DylanWangWQF See here for more info on oe_load_module_host_file_system -- https://github.com/openenclave/openenclave/blob/master/docs/UsingTheIOSubsystem.md
This function is provided by the OpenEnclave SDK and is needed for loading the requisite IO modules

[DylanWangWQF]

Got it! Thank you!
@podcastinator
here should be stack pages

secure-xgboost/CMakeLists.txt

Line 30 in 96eb1a9

CACHE STRING "Number of enclave heap pages")

[DylanWangWQF]

@chester-leung
I found the heap page is around 390MB in the setting.

secure-xgboost/CMakeLists.txt

Line 27 in 96eb1a9

set(OE_NUM_HEAP_PAGES 100000

This is much larger than what existing SGX1 hardware can provide. And in your paper, it's 112Mb enclave page cache. So is this available in the project for the large program?

BTW, I'm wondering how does the enclave process large datasets, e.g, much large than 128MB?

[DylanWangWQF]

I propose this question is because the enclave image is too big after compiling inside the enclave.

drwxrwxr-x 3 dylan dylan 4.0K Jun 30 11:24 CMakeFiles/
-rw-rw-r-- 1 dylan dylan 1.2K Jun 30 11:24 cmake_install.cmake
-rwxrwxr-x 1 dylan dylan  66M Jun 30 11:24 enclave*
-rw-rw-r-- 1 dylan dylan  66M Jun 30 11:24 enclave.signed
-rw-rw-r-- 1 dylan dylan 3.3K Jun 30 11:24 heenclave_args.h
-rw-rw-r-- 1 dylan dylan 332K Jun 30 11:24 heenclave_t.c
-rw-rw-r-- 1 dylan dylan  13K Jun 30 11:24 heenclave_t.h
-rw-rw-r-- 1 dylan dylan 7.3K Jun 30 11:24 Makefile

[podcastinator]

@DylanWangWQF the 112MB limit only applies to the physical memory (i.e., the portion of the RAM dedicated to the EPC). This does not restrict the amount of virtual memory available to the enclave application, and the selected heap size determines the amount of virtual memory that the app has its disposal.