@linux_sgx//:sgx_sdk.bzl

asylo_sgx_backend

asylo_sgx_backend(name)

Defines an Asylo backend label for the SGX backend. Should only be used by @linux_sgx.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required

boringssl_sign_enclave_signing_material

boringssl_sign_enclave_signing_material(name, private_key, signature, signing_material)

Signs an enclave signing material file with a given private key for use in sgx_signed_enclave.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
private_key The RSA-3072 private key with public exponent 3 in PEM format used to sign the input enclave signing material. Label required
signature The output signature file name [default: <name>.sig]. Label optional
signing_material A target defined by sgx_generate_enclave_signing_material. Label required

enclave_lds

enclave_lds(name, debug, simulation)

Creates a version script to limit enclave symbol visibility

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
debug - Boolean required
simulation - Boolean required

sgx_full_enclave_configuration

sgx_full_enclave_configuration(name, base, disable_debug, heap_max_size, isvextprodid, isvfamilyid, isvsvn, kss, misc_mask, misc_select, prodid, provision_key, stack_max_size, tcs_num, tcs_policy)

Defines an enclave configuration that is meant to be used as base configuration. Use sgx_enclave_configuration to get a sensible default base.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
base An initial configuration from which to derive. Base configuration fields may be overwritten by setting fields in this configuration. Label optional
disable_debug Indicates whether launching the enclave in debug mode is disabled String optional
heap_max_size The enclave’s maximum heap size in bytes (4KB aligned) String optional
isvextprodid The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False String optional
isvfamilyid The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False String optional
isvsvn The enclave’s ISV (Independent Software Vendor) assigned Security Version Number String optional
kss A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS) Boolean optional
misc_mask A mask indicating which bits in misc_select are enforced String optional
misc_select The desired Extended SSA frame feature (must be 0) String optional
prodid The enclave’s ISV (Independent Software Vendor) assigned Product ID String optional
provision_key Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key String optional
stack_max_size The enclave’s maximum stack size in bytes (4KB aligned) String optional
tcs_num The number of Thread Control Structures allocated for the enclave String optional
tcs_policy The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread) String optional

sgx_generate_enclave_signing_material

sgx_generate_enclave_signing_material(name, config, sign_tool, signing_material, unsigned)

Creates a file that contains the parts of the enclave SIGSTRUCT that must be signed.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
config A path to a configuration XML file, or a label of an sgx_enclave_config target. A configuration specifies identity attributes, runtime behaviors that are security-critical, and other components of the enclave SIGSTRUCT. Label required
sign_tool - Label optional
signing_material The name of the output file. Default is “<name>.dat”. Label optional
unsigned The label of the unsigned enclave binary to be measured and hashed as a SIGSTRUCT field Label required

sgx_signed_enclave

sgx_signed_enclave(name, public_key, sign_tool, signature, signing_material)

Creates a signed enclave binary using a signature file.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
public_key The public key to verify the provided signature. Label required
sign_tool - Label optional
signature The sha256 digest of the enclave signing material signed by the RSA-3072 private key with public exponent 3. Label required
signing_material The label of a sgx_generate_enclave_signing_material target that includes both the unsigned enclave and its config. Label required

SGXEnclaveConfigInfo

SGXEnclaveConfigInfo(disable_debug, heap_max_size, isvsvn, misc_mask, misc_select, prodid, provision_key, kss, isvextprodid, isvfamilyid, stack_max_size, tcs_num, tcs_policy)

Stores an enclave configuration for enclave signing

FIELDS

Name Description
disable_debug Indicates whether launching the enclave in debug mode is disabled
heap_max_size The enclave’s maximum heap size in bytes (4KB aligned)
isvsvn The enclave’s ISV (Independent Software Vendor) assigned Security Version Number
misc_mask A mask indicating which bits in misc_select are enforced
misc_select The desired Extended SSA frame feature (must be 0)
prodid The enclave’s ISV (Independent Software Vendor) assigned Product ID
provision_key Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key
kss A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS)
isvextprodid The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False
isvfamilyid The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False
stack_max_size The enclave’s maximum stack size in bytes (4KB aligned)
tcs_num The number of Thread Control Structures allocated for the enclave
tcs_policy The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread)

SGXEnclaveInfo

SGXEnclaveInfo()

A provider attached to an SGX enclave target for compile-time type-checking purposes

FIELDS

SGXSigstructInfo

SGXSigstructInfo(config, unsigned)

A provider on enclave signing material that carries the enclave and configuration targets that generate it.

FIELDS

Name Description
config An SGXEnclaveConfigInfo provider that represents the configuration options
unsigned A cc_unsigned_enclave in an SGX backend

boringssl_sign_sigstruct

boringssl_sign_sigstruct(name, sigstruct, kwargs)

Signs enclave signing material with a given private key.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct A target defined by sgx_generate_enclave_signing_material. none
kwargs The arguments passed to boringssl_sign_enclave_signing_material. none

sgx.boringssl_sign_sigstruct

sgx.boringssl_sign_sigstruct(name, sigstruct, kwargs)

Signs enclave signing material with a given private key.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct A target defined by sgx_generate_enclave_signing_material. none
kwargs The arguments passed to boringssl_sign_enclave_signing_material. none

sgx.debug_enclave

sgx.debug_enclave(name, unsigned, config, tags, deprecation, visibility, testonly)

Creates a signed enclave binary by using a debug key.

PARAMETERS

Name Description Default Value
name The target name none
unsigned The label of the unsigned enclave binary. none
config The enclave configuration label to use. None
tags Bazel tags to add to name. []
deprecation An optional deprecation message that issues a warning. None
visibility The optional visibility of the enclave binary. None
testonly True if the target should only be used in tests. False

sgx.enclave_configuration

sgx.enclave_configuration(base, kwargs)

Wraps sgx_full_enclave_configuration with a default base target.

PARAMETERS

Name Description Default Value
base An optional base config
[default @linux_sgx//:enclave_debug_config].
"@linux_sgx//:enclave_debug_config"
kwargs The rest of the sgx_full_enclave_configuration arguments. none

sgx.generate_sigstruct

sgx.generate_sigstruct(name, sigstruct, kwargs)

Creates a file that contains parts of the enclave SIGSTRUCT.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct The name of the output file. Default is “<name>.dat”. None
kwargs The arguments passed to sgx_generate_enclave_signing_material. none

sgx.tags

sgx.tags()

Returns tags for SGX targets.

PARAMETERS

sgx.unsigned_enclave

sgx.unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)

Build rule for creating a C++ unsigned SGX enclave shared object file.

PARAMETERS

Name Description Default Value
name The enclave target name. none
stamp The cc_binary stamp argument, but with a default value 0. 0
backends The Asylo backend labels to build with (:asylo_sgx_sim and/or
:asylo_sgx_hw)
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dict from backend label to enclave target name.
Optional.
{}
kwargs cc_binary arguments. none

sgx_debug_enclave

sgx_debug_enclave(name, unsigned, config, tags, deprecation, visibility, testonly)

Creates a signed enclave binary by using a debug key.

PARAMETERS

Name Description Default Value
name The target name none
unsigned The label of the unsigned enclave binary. none
config The enclave configuration label to use. None
tags Bazel tags to add to name. []
deprecation An optional deprecation message that issues a warning. None
visibility The optional visibility of the enclave binary. None
testonly True if the target should only be used in tests. False

sgx_enclave_configuration

sgx_enclave_configuration(base, kwargs)

Wraps sgx_full_enclave_configuration with a default base target.

PARAMETERS

Name Description Default Value
base An optional base config
[default @linux_sgx//:enclave_debug_config].
"@linux_sgx//:enclave_debug_config"
kwargs The rest of the sgx_full_enclave_configuration arguments. none

sgx_generate_sigstruct

sgx_generate_sigstruct(name, sigstruct, kwargs)

Creates a file that contains parts of the enclave SIGSTRUCT.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct The name of the output file. Default is “<name>.dat”. None
kwargs The arguments passed to sgx_generate_enclave_signing_material. none

sgx_tags

sgx_tags()

Returns tags for SGX targets.

PARAMETERS

sgx_unsigned_enclave

sgx_unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)

Build rule for creating a C++ unsigned SGX enclave shared object file.

PARAMETERS

Name Description Default Value
name The enclave target name. none
stamp The cc_binary stamp argument, but with a default value 0. 0
backends The Asylo backend labels to build with (:asylo_sgx_sim and/or
:asylo_sgx_hw)
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dict from backend label to enclave target name.
Optional.
{}
kwargs cc_binary arguments. none