@linux_sgx//:sgx_sdk.bzl

asylo_sgx_backend

asylo_sgx_backend(name)

Defines an Asylo backend label for the SGX backend. Should only be used by @linux_sgx.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required

enclave_lds

enclave_lds(name, debug, simulation)

Creates a version script to limit enclave symbol visibility

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
debug - Boolean required
simulation - Boolean required

sgx_full_enclave_configuration

sgx_full_enclave_configuration(name, base, disable_debug, heap_max_size, isvextprodid, isvfamilyid, isvsvn, kss, misc_mask, misc_select, prodid, provision_key, stack_max_size, tcs_num, tcs_policy)

Defines an enclave configuration that is meant to be used as base configuration. Use sgx_enclave_configuration to get a sensible default base.

ATTRIBUTES

Name Description Type Mandatory
name A unique name for this target. Name required
base An initial configuration from which to derive. Base configuration fields may be overwritten by setting fields in this configuration. Label optional
disable_debug Indicates whether launching the enclave in debug mode is disabled String optional
heap_max_size The enclave’s maximum heap size in bytes (4KB aligned) String optional
isvextprodid The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False String optional
isvfamilyid The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False String optional
isvsvn The enclave’s ISV (Independent Software Vendor) assigned Security Version Number String optional
kss A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS) Boolean optional
misc_mask A mask indicating which bits in misc_select are enforced String optional
misc_select The desired Extended SSA frame feature (must be 0) String optional
prodid The enclave’s ISV (Independent Software Vendor) assigned Product ID String optional
provision_key Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key String optional
stack_max_size The enclave’s maximum stack size in bytes (4KB aligned) String optional
tcs_num The number of Thread Control Structures allocated for the enclave String optional
tcs_policy The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread) String optional

SGXEnclaveConfigInfo

SGXEnclaveConfigInfo(disable_debug, heap_max_size, isvsvn, misc_mask, misc_select, prodid, provision_key, kss, isvextprodid, isvfamilyid, stack_max_size, tcs_num, tcs_policy)

Stores an enclave configuration for enclave signing

FIELDS

Name Description
disable_debug Indicates whether launching the enclave in debug mode is disabled
heap_max_size The enclave’s maximum heap size in bytes (4KB aligned)
isvsvn The enclave’s ISV (Independent Software Vendor) assigned Security Version Number
misc_mask A mask indicating which bits in misc_select are enforced
misc_select The desired Extended SSA frame feature (must be 0)
prodid The enclave’s ISV (Independent Software Vendor) assigned Product ID
provision_key Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key
kss A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS)
isvextprodid The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False
isvfamilyid The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False
stack_max_size The enclave’s maximum stack size in bytes (4KB aligned)
tcs_num The number of Thread Control Structures allocated for the enclave
tcs_policy The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread)

SGXEnclaveInfo

SGXEnclaveInfo()

A provider attached to an SGX enclave target for compile-time type-checking purposes

FIELDS

SGXSigstructInfo

SGXSigstructInfo(config, unsigned)

A provider on enclave signing material that carries the enclave and configuration targets that generate it.

FIELDS

Name Description
config An SGXEnclaveConfigInfo provider that represents the configuration options
unsigned A cc_unsigned_enclave in an SGX backend

boringssl_sign_enclave_signing_material

boringssl_sign_enclave_signing_material(name, signing_material, private_key, signature, backends, name_by_backend, visibility, tags, testonly)

Signs signing material with a private key.

Signing is done in each backend if transitions enabled.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations if transitions enabled. none
signing_material The output of generate_enclave_signing_material. none
private_key A label to an RSA 3072 public exponent 3 private key in
PEM format.
none
signature An optional output file name (default name + “.sig”, where
name is backend-specific if transitions enabled).
None
backends The list of backend labels to build signing_material against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend An optional dictionary from backend label to name to
backend-specific target name.
{}
visibility An optional target visibility. None
tags Tags to apply to each target. []
testonly True if the target should only be used in tests. 0

boringssl_sign_sigstruct

boringssl_sign_sigstruct(name, sigstruct, kwargs)

Signs enclave signing material with a given private key.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct A target defined by sgx_generate_enclave_signing_material. none
kwargs The arguments passed to boringssl_sign_enclave_signing_material. none

sgx.boringssl_sign_sigstruct

sgx.boringssl_sign_sigstruct(name, sigstruct, kwargs)

Signs enclave signing material with a given private key.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct A target defined by sgx_generate_enclave_signing_material. none
kwargs The arguments passed to boringssl_sign_enclave_signing_material. none

sgx.boringssl_sign_enclave_signing_material

sgx.boringssl_sign_enclave_signing_material(name, signing_material, private_key, signature, backends, name_by_backend, visibility, tags, testonly)

Signs signing material with a private key.

Signing is done in each backend if transitions enabled.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations if transitions enabled. none
signing_material The output of generate_enclave_signing_material. none
private_key A label to an RSA 3072 public exponent 3 private key in
PEM format.
none
signature An optional output file name (default name + “.sig”, where
name is backend-specific if transitions enabled).
None
backends The list of backend labels to build signing_material against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend An optional dictionary from backend label to name to
backend-specific target name.
{}
visibility An optional target visibility. None
tags Tags to apply to each target. []
testonly True if the target should only be used in tests. 0

sgx.debug_enclave

sgx.debug_enclave(name, kwargs)

An alias for sgx_sign_enclave_with_untrusted_key.

PARAMETERS

Name Description Default Value
name The name of the rule. none
kwargs The rest of the arguments to
sgx_sign_enclave_with_untrusted_key.
none

sgx.sign_enclave_with_untrusted_key

sgx.sign_enclave_with_untrusted_key(name, unsigned, config, key, tags, backends, name_by_backend, deprecation, visibility, testonly)

Creates a signed enclave binary by using a debug key.

PARAMETERS

Name Description Default Value
name The target name none
unsigned The label of the unsigned enclave binary. none
config The enclave configuration label to use. None
key The untrusted key to use for signing. None
tags Bazel tags to add to name. []
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
deprecation An optional deprecation message that issues a warning. None
visibility The optional visibility of the enclave binary. None
testonly True if the target should only be used in tests. False

sgx.enclave_configuration

sgx.enclave_configuration(base, kwargs)

Wraps sgx_full_enclave_configuration with a default base target.

PARAMETERS

Name Description Default Value
base An optional base config
[default @linux_sgx//:enclave_debug_config].
"@linux_sgx//:enclave_debug_config"
kwargs The rest of the sgx_full_enclave_configuration arguments. none

sgx.generate_enclave_signing_material

sgx.generate_enclave_signing_material(name, config, unsigned, backends, name_by_backend, signing_material, visibility, tags, testonly)

Builds the file to sign for creating a signed enclave binary.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations when transitions enabled. none
config An enclave_configuration target label. none
unsigned A label to an SGX unsigned enclave target. Should be generic
in the backends provided, so it is recommended to use an
sgx_cc_unsigned_enclave target.
none
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
signing_material An optional output file name. None
visibility An optional visibility specification. None
tags Tags to apply to each target. []
testonly If true, the target may only be dependended on by testonly
and test targets.
0

sgx.generate_sigstruct

sgx.generate_sigstruct(name, sigstruct, kwargs)

Creates a file that contains parts of the enclave SIGSTRUCT.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct The name of the output file. Default is “<name>.dat”. None
kwargs The arguments passed to sgx_generate_enclave_signing_material. none

sgx.signed_enclave

sgx.signed_enclave(name, public_key, signature, signing_material, backends, name_by_backend, visibility, testonly, tags)

Creates a signed enclave binary using a signature file.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations when transitions enabled. none
public_key The public key to verify the provided signature. none
signature The sha256 digest of the enclave signing material signed by
the RSA-3072 private key with public exponent 3.
none
signing_material The label of a sgx_generate_enclave_signing_material
target that includes both the unsigned enclave and its config.
none
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
visibility An optional visibility specification. None
testonly If true, the target may only be dependended on by testonly
and test targets.
0
tags Tags to apply to each target. []

sgx.tags

sgx.tags()

Returns tags for SGX targets.

PARAMETERS

sgx.unsigned_enclave

sgx.unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)

Build rule for creating a C++ unsigned SGX enclave shared object file.

PARAMETERS

Name Description Default Value
name The enclave target name. none
stamp The cc_binary stamp argument, but with a default value 0. 0
backends The Asylo backend labels to build with (:asylo_sgx_sim and/or
:asylo_sgx_hw)
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dict from backend label to enclave target name.
Optional.
{}
kwargs cc_binary arguments. none

sgx_debug_enclave

sgx_debug_enclave(name, kwargs)

An alias for sgx_sign_enclave_with_untrusted_key.

PARAMETERS

Name Description Default Value
name The name of the rule. none
kwargs The rest of the arguments to
sgx_sign_enclave_with_untrusted_key.
none

sgx_enclave_configuration

sgx_enclave_configuration(base, kwargs)

Wraps sgx_full_enclave_configuration with a default base target.

PARAMETERS

Name Description Default Value
base An optional base config
[default @linux_sgx//:enclave_debug_config].
"@linux_sgx//:enclave_debug_config"
kwargs The rest of the sgx_full_enclave_configuration arguments. none

sgx_generate_enclave_signing_material

sgx_generate_enclave_signing_material(name, config, unsigned, backends, name_by_backend, signing_material, visibility, tags, testonly)

Builds the file to sign for creating a signed enclave binary.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations when transitions enabled. none
config An enclave_configuration target label. none
unsigned A label to an SGX unsigned enclave target. Should be generic
in the backends provided, so it is recommended to use an
sgx_cc_unsigned_enclave target.
none
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
signing_material An optional output file name. None
visibility An optional visibility specification. None
tags Tags to apply to each target. []
testonly If true, the target may only be dependended on by testonly
and test targets.
0

sgx_generate_sigstruct

sgx_generate_sigstruct(name, sigstruct, kwargs)

Creates a file that contains parts of the enclave SIGSTRUCT.

PARAMETERS

Name Description Default Value
name The rule name. none
sigstruct The name of the output file. Default is “<name>.dat”. None
kwargs The arguments passed to sgx_generate_enclave_signing_material. none

sgx_sign_enclave_with_untrusted_key

sgx_sign_enclave_with_untrusted_key(name, unsigned, config, key, tags, backends, name_by_backend, deprecation, visibility, testonly)

Creates a signed enclave binary by using a debug key.

PARAMETERS

Name Description Default Value
name The target name none
unsigned The label of the unsigned enclave binary. none
config The enclave configuration label to use. None
key The untrusted key to use for signing. None
tags Bazel tags to add to name. []
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
deprecation An optional deprecation message that issues a warning. None
visibility The optional visibility of the enclave binary. None
testonly True if the target should only be used in tests. False

sgx_signed_enclave

sgx_signed_enclave(name, public_key, signature, signing_material, backends, name_by_backend, visibility, testonly, tags)

Creates a signed enclave binary using a signature file.

PARAMETERS

Name Description Default Value
name The rule name, used in name derivations when transitions enabled. none
public_key The public key to verify the provided signature. none
signature The sha256 digest of the enclave signing material signed by
the RSA-3072 private key with public exponent 3.
none
signing_material The label of a sgx_generate_enclave_signing_material
target that includes both the unsigned enclave and its config.
none
backends The list of backends to build against. {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dictionary from backend label to target name for
user-specified target names when defining backend-specific targets.
{}
visibility An optional visibility specification. None
testonly If true, the target may only be dependended on by testonly
and test targets.
0
tags Tags to apply to each target. []

sgx_tags

sgx_tags()

Returns tags for SGX targets.

PARAMETERS

sgx_unsigned_enclave

sgx_unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)

Build rule for creating a C++ unsigned SGX enclave shared object file.

PARAMETERS

Name Description Default Value
name The enclave target name. none
stamp The cc_binary stamp argument, but with a default value 0. 0
backends The Asylo backend labels to build with (:asylo_sgx_sim and/or
:asylo_sgx_hw)
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"]), "@linux_sgx//:asylo_sgx_sim": struct(config_settings = ["@linux_sgx//:sgx_sim"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_sim", order = 1, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-sim", "manual"])}
name_by_backend A dict from backend label to enclave target name.
Optional.
{}
kwargs cc_binary arguments. none