Teaclave Meetup #8

October 14, 2021 · Mingshen Sun

# Agenda

  • Recent update in Teaclave — Mingshen Sun
  • Using and Customizing Teaclave SGX SDK — Shunfan Zhou

# Notes

# Recent Update in Teaclave — Mingshen


  • [docker] start Teaclave docker services with auto-detection mechanism (#559).
  • Use run-teaclave-service.sh instead of using docker-compose directly.


TrustZone SDK

OP-TEE with Rust


Project Powered By Teaclave

Teaclave TrustZone SDK Links in Homepage


  • New committers: Yuan Zhuang and Rong Fan from Baidu
  • Discord: Connect directly with Teaclave community members (join link: https://discord.gg/ynECXsxm5P)


  • SmashEx: Smashing SGX Enclaves Using Exceptions (to appear at CCS 2021): Jinhua Cui (National University of Defense Technology, National University of Singapore); Zhijingcheng Yu (National University of Singapore); Shweta Shinde (ETH Zurich); Prateek Saxena (National University of Singapore); Zhiping Cai (National University of Defense Technology)
  • https://arxiv.org/ftp/arxiv/papers/2110/2110.06657.pdf
  • CVE-2021-0186
    • https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00548.html
    • Description: Improper input validation in the Intel(R) SGX SDK applications compiled for SGX2 enabled processors may allow a privileged user to potentially escalation of privilege via local access.
    • Affected Products: Intel SGX SDK for Windows v2.12 and earlier, Intel SGX SDK for Linux v2.13 and earlier, Intel® Processors supporting SGX2.
    • Intel recommends updating the Intel® SGX SDK to the versions listed below. Enclaves built with the new Intel® SGX SDK version should increment the value of their ISVSVN field.
  • Patch: https://github.com/intel/linux-sgx/commit/edfe42a517b3e4b1d81204c3cdef6da6cb35fefc

Patch in Intel SGX SDK

# Using and Customizing Teaclave SGX SDK — Shunfan Zhou

  • Teaclave SGX SDK
    • pro: security
    • con: testing is hard
  • Case study: rust-bitcoin
    • std
    • Feature
    • Port dependencies recursively
  • Some issues
    • efforts of porting
    • security: 1) updates of upstream, 2) unit tests
    • More TEE backend: AMD SEV, ARM CCA
  • libs is not completed in SGX for vanilla Rust standard library
  • Phala libc-hacks
    • directly use Intel's libc
    • use ocall warpper functions
  • Conflicts: multiple language items in Rust
  • Runtime behavior checks
  • HW mode issue: rand::thread_rnd() is using CPUID, which is not allowed in SGX
  • Check instructions after compiling

# Free Discussion

# Attendees

  • Mingshen Sun
  • Qinkun Bao
  • He Sun
  • George
  • Hongbo Chen
  • hang
  • Kevin
  • Ben
  • Ruide
  • Rudong Zhou
  • shelven
  • Tongxin Li
  • Weijie Liu
  • Zha0Chan
  • Tianyi Li
  • DuanRan
  • Gordon
  • david

# Group Photo

Group Photo