@linux_sgx//:sgx_sdk.bzl
asylo_sgx_backend
asylo_sgx_backend(name)
Defines an Asylo backend label for the SGX backend. Should only be used by @linux_sgx.
ATTRIBUTES
| Name | Description | Type | Mandatory |
|---|---|---|---|
| name | A unique name for this target. | Name | required |
enclave_lds
enclave_lds(name, debug, simulation)
Creates a version script to limit enclave symbol visibility
ATTRIBUTES
| Name | Description | Type | Mandatory |
|---|---|---|---|
| name | A unique name for this target. | Name | required |
| debug | - | Boolean | required |
| simulation | - | Boolean | required |
sgx_full_enclave_configuration
sgx_full_enclave_configuration(name, base, disable_debug, heap_max_size, isvextprodid, isvfamilyid, isvsvn, kss, misc_mask, misc_select, prodid, provision_key, stack_max_size, tcs_num, tcs_policy)
Defines an enclave configuration that is meant to be used as base configuration. Use sgx_enclave_configuration to get a sensible default base.
ATTRIBUTES
| Name | Description | Type | Mandatory |
|---|---|---|---|
| name | A unique name for this target. | Name | required |
| base | An initial configuration from which to derive. Base configuration fields may be overwritten by setting fields in this configuration. | Label | optional |
| disable_debug | Indicates whether launching the enclave in debug mode is disabled | String | optional |
| heap_max_size | The enclave’s maximum heap size in bytes (4KB aligned) | String | optional |
| isvextprodid | The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False | String | optional |
| isvfamilyid | The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False | String | optional |
| isvsvn | The enclave’s ISV (Independent Software Vendor) assigned Security Version Number | String | optional |
| kss | A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS) | Boolean | optional |
| misc_mask | A mask indicating which bits in misc_select are enforced | String | optional |
| misc_select | The desired Extended SSA frame feature (must be 0) | String | optional |
| prodid | The enclave’s ISV (Independent Software Vendor) assigned Product ID | String | optional |
| provision_key | Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key | String | optional |
| stack_max_size | The enclave’s maximum stack size in bytes (4KB aligned) | String | optional |
| tcs_num | The number of Thread Control Structures allocated for the enclave | String | optional |
| tcs_policy | The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread) | String | optional |
SGXEnclaveConfigInfo
SGXEnclaveConfigInfo(disable_debug, heap_max_size, isvsvn, misc_mask, misc_select, prodid, provision_key, kss, isvextprodid, isvfamilyid, stack_max_size, tcs_num, tcs_policy)
Stores an enclave configuration for enclave signing
FIELDS
| Name | Description |
|---|---|
| disable_debug | Indicates whether launching the enclave in debug mode is disabled |
| heap_max_size | The enclave’s maximum heap size in bytes (4KB aligned) |
| isvsvn | The enclave’s ISV (Independent Software Vendor) assigned Security Version Number |
| misc_mask | A mask indicating which bits in misc_select are enforced |
| misc_select | The desired Extended SSA frame feature (must be 0) |
| prodid | The enclave’s ISV (Independent Software Vendor) assigned Product ID |
| provision_key | Indicates whether the enclave has access to the Provisioning Key and the Provisioning Seal Key |
| kss | A boolean that indicates whether the enclave can use Key Sharing and Separation (KSS) |
| isvextprodid | The enclave’s 16-byte extended ISVPRODID value. It is an error to set this attribute if ‘kss’ is set to False |
| isvfamilyid | The enclave’s 16-byte extended ISV Family ID. It is an error to set this attribute if ‘kss’ is set to False |
| stack_max_size | The enclave’s maximum stack size in bytes (4KB aligned) |
| tcs_num | The number of Thread Control Structures allocated for the enclave |
| tcs_policy | The TCS management policy (0 - The TCS is bound to the untrusted thread, 1 - The TCS is unbound to the untrusted thread) |
SGXEnclaveInfo
SGXEnclaveInfo()
A provider attached to an SGX enclave target for compile-time type-checking purposes
FIELDS
SGXSigstructInfo
SGXSigstructInfo(config, unsigned)
A provider on enclave signing material that carries the enclave and configuration targets that generate it.
FIELDS
| Name | Description |
|---|---|
| config | An SGXEnclaveConfigInfo provider that represents the configuration options |
| unsigned | A cc_unsigned_enclave in an SGX backend |
boringssl_sign_enclave_signing_material
boringssl_sign_enclave_signing_material(name, signing_material, private_key, signature, backends, name_by_backend, visibility, tags, testonly)
Signs signing material with a private key.
Signing is done in each backend if transitions enabled.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations if transitions enabled. | none |
| signing_material | The output of generate_enclave_signing_material. | none |
| private_key | A label to an RSA 3072 public exponent 3 private key in PEM format. |
none |
| signature | An optional output file name (default name + “.sig”, where name is backend-specific if transitions enabled). |
None |
| backends | The list of backend labels to build signing_material against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | An optional dictionary from backend label to name to backend-specific target name. |
{} |
| visibility | An optional target visibility. | None |
| tags | Tags to apply to each target. | [] |
| testonly | True if the target should only be used in tests. | 0 |
boringssl_sign_sigstruct
boringssl_sign_sigstruct(name, sigstruct, kwargs)
Signs enclave signing material with a given private key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name. | none |
| sigstruct | A target defined by sgx_generate_enclave_signing_material. | none |
| kwargs | The arguments passed to boringssl_sign_enclave_signing_material. | none |
sgx.boringssl_sign_sigstruct
sgx.boringssl_sign_sigstruct(name, sigstruct, kwargs)
Signs enclave signing material with a given private key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name. | none |
| sigstruct | A target defined by sgx_generate_enclave_signing_material. | none |
| kwargs | The arguments passed to boringssl_sign_enclave_signing_material. | none |
sgx.boringssl_sign_enclave_signing_material
sgx.boringssl_sign_enclave_signing_material(name, signing_material, private_key, signature, backends, name_by_backend, visibility, tags, testonly)
Signs signing material with a private key.
Signing is done in each backend if transitions enabled.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations if transitions enabled. | none |
| signing_material | The output of generate_enclave_signing_material. | none |
| private_key | A label to an RSA 3072 public exponent 3 private key in PEM format. |
none |
| signature | An optional output file name (default name + “.sig”, where name is backend-specific if transitions enabled). |
None |
| backends | The list of backend labels to build signing_material against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | An optional dictionary from backend label to name to backend-specific target name. |
{} |
| visibility | An optional target visibility. | None |
| tags | Tags to apply to each target. | [] |
| testonly | True if the target should only be used in tests. | 0 |
sgx.debug_enclave
sgx.debug_enclave(name, kwargs)
An alias for sgx_sign_enclave_with_untrusted_key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The name of the rule. | none |
| kwargs | The rest of the arguments to sgx_sign_enclave_with_untrusted_key. |
none |
sgx.sign_enclave_with_untrusted_key
sgx.sign_enclave_with_untrusted_key(name, unsigned, config, key, tags, backends, name_by_backend, deprecation, visibility, testonly)
Creates a signed enclave binary by using a debug key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The target name | none |
| unsigned | The label of the unsigned enclave binary. | none |
| config | The enclave configuration label to use. | None |
| key | The untrusted key to use for signing. | None |
| tags | Bazel tags to add to name. | [] |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| deprecation | An optional deprecation message that issues a warning. | None |
| visibility | The optional visibility of the enclave binary. | None |
| testonly | True if the target should only be used in tests. | False |
sgx.enclave_configuration
sgx.enclave_configuration(base, kwargs)
Wraps sgx_full_enclave_configuration with a default base target.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| base | An optional base config [default @linux_sgx//:enclave_debug_config]. |
"@linux_sgx//:enclave_debug_config" |
| kwargs | The rest of the sgx_full_enclave_configuration arguments. | none |
sgx.generate_enclave_signing_material
sgx.generate_enclave_signing_material(name, config, unsigned, backends, name_by_backend, signing_material, visibility, tags, testonly)
Builds the file to sign for creating a signed enclave binary.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations when transitions enabled. | none |
| config | An enclave_configuration target label. | none |
| unsigned | A label to an SGX unsigned enclave target. Should be generic in the backends provided, so it is recommended to use an sgx_cc_unsigned_enclave target. |
none |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| signing_material | An optional output file name. | None |
| visibility | An optional visibility specification. | None |
| tags | Tags to apply to each target. | [] |
| testonly | If true, the target may only be dependended on by testonly and test targets. |
0 |
sgx.generate_sigstruct
sgx.generate_sigstruct(name, sigstruct, kwargs)
Creates a file that contains parts of the enclave SIGSTRUCT.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name. | none |
| sigstruct | The name of the output file. Default is “<name>.dat”. | None |
| kwargs | The arguments passed to sgx_generate_enclave_signing_material. | none |
sgx.signed_enclave
sgx.signed_enclave(name, public_key, signature, signing_material, backends, name_by_backend, visibility, testonly, tags)
Creates a signed enclave binary using a signature file.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations when transitions enabled. | none |
| public_key | The public key to verify the provided signature. | none |
| signature | The sha256 digest of the enclave signing material signed by the RSA-3072 private key with public exponent 3. |
none |
| signing_material | The label of a sgx_generate_enclave_signing_material target that includes both the unsigned enclave and its config. |
none |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| visibility | An optional visibility specification. | None |
| testonly | If true, the target may only be dependended on by testonly and test targets. |
0 |
| tags | Tags to apply to each target. | [] |
sgx.tags
sgx.tags()
Returns tags for SGX targets.
PARAMETERS
sgx.unsigned_enclave
sgx.unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)
Build rule for creating a C++ unsigned SGX enclave shared object file.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The enclave target name. | none |
| stamp | The cc_binary stamp argument, but with a default value 0. | 0 |
| backends | The Asylo backend labels to build with (:asylo_sgx_sim and/or :asylo_sgx_hw) |
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dict from backend label to enclave target name. Optional. |
{} |
| kwargs | cc_binary arguments. | none |
sgx_debug_enclave
sgx_debug_enclave(name, kwargs)
An alias for sgx_sign_enclave_with_untrusted_key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The name of the rule. | none |
| kwargs | The rest of the arguments to sgx_sign_enclave_with_untrusted_key. |
none |
sgx_enclave_configuration
sgx_enclave_configuration(base, kwargs)
Wraps sgx_full_enclave_configuration with a default base target.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| base | An optional base config [default @linux_sgx//:enclave_debug_config]. |
"@linux_sgx//:enclave_debug_config" |
| kwargs | The rest of the sgx_full_enclave_configuration arguments. | none |
sgx_generate_enclave_signing_material
sgx_generate_enclave_signing_material(name, config, unsigned, backends, name_by_backend, signing_material, visibility, tags, testonly)
Builds the file to sign for creating a signed enclave binary.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations when transitions enabled. | none |
| config | An enclave_configuration target label. | none |
| unsigned | A label to an SGX unsigned enclave target. Should be generic in the backends provided, so it is recommended to use an sgx_cc_unsigned_enclave target. |
none |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| signing_material | An optional output file name. | None |
| visibility | An optional visibility specification. | None |
| tags | Tags to apply to each target. | [] |
| testonly | If true, the target may only be dependended on by testonly and test targets. |
0 |
sgx_generate_sigstruct
sgx_generate_sigstruct(name, sigstruct, kwargs)
Creates a file that contains parts of the enclave SIGSTRUCT.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name. | none |
| sigstruct | The name of the output file. Default is “<name>.dat”. | None |
| kwargs | The arguments passed to sgx_generate_enclave_signing_material. | none |
sgx_sign_enclave_with_untrusted_key
sgx_sign_enclave_with_untrusted_key(name, unsigned, config, key, tags, backends, name_by_backend, deprecation, visibility, testonly)
Creates a signed enclave binary by using a debug key.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The target name | none |
| unsigned | The label of the unsigned enclave binary. | none |
| config | The enclave configuration label to use. | None |
| key | The untrusted key to use for signing. | None |
| tags | Bazel tags to add to name. | [] |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| deprecation | An optional deprecation message that issues a warning. | None |
| visibility | The optional visibility of the enclave binary. | None |
| testonly | True if the target should only be used in tests. | False |
sgx_signed_enclave
sgx_signed_enclave(name, public_key, signature, signing_material, backends, name_by_backend, visibility, testonly, tags)
Creates a signed enclave binary using a signature file.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The rule name, used in name derivations when transitions enabled. | none |
| public_key | The public key to verify the provided signature. | none |
| signature | The sha256 digest of the enclave signing material signed by the RSA-3072 private key with public exponent 3. |
none |
| signing_material | The label of a sgx_generate_enclave_signing_material target that includes both the unsigned enclave and its config. |
none |
| backends | The list of backends to build against. | {"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dictionary from backend label to target name for user-specified target names when defining backend-specific targets. |
{} |
| visibility | An optional visibility specification. | None |
| testonly | If true, the target may only be dependended on by testonly and test targets. |
0 |
| tags | Tags to apply to each target. | [] |
sgx_tags
sgx_tags()
Returns tags for SGX targets.
PARAMETERS
sgx_unsigned_enclave
sgx_unsigned_enclave(name, stamp, backends, name_by_backend, kwargs)
Build rule for creating a C++ unsigned SGX enclave shared object file.
PARAMETERS
| Name | Description | Default Value |
|---|---|---|
| name | The enclave target name. | none |
| stamp | The cc_binary stamp argument, but with a default value 0. | 0 |
| backends | The Asylo backend labels to build with (:asylo_sgx_sim and/or :asylo_sgx_hw) |
{"@linux_sgx//:asylo_sgx_hw": struct(config_settings = ["@linux_sgx//:sgx_hw"], debug_default_config = "@linux_sgx//:enclave_debug_config", debug_private_key = "@linux_sgx//:enclave_test_private.pem", name_derivation = "_sgx_hw", order = 2, sign_tool = "@linux_sgx//:sgx_sign_tool", tags = ["asylo-sgx-hw", "manual"], transitive_features_transform = |
| name_by_backend | A dict from backend label to enclave target name. Optional. |
{} |
| kwargs | cc_binary arguments. | none |