Enclave Boundary Messages

This file defines the messages for communicating with a trusted application’s entry-points: initialization, (re-entrant) execution input and output, and finalization.


Configuration passed to an enclave during initialization. An enclave’s configuration (an instance of this message) is part of its identity. The base configuration included in EnclaveConfig is used to support platform capabilities such as the logging API and POSIX APIs.

Field Type Description
stdin_fd int32

Host file descriptor to use for standard in. A negative value indicates no standard in should be opened.

stdout_fd int32

Host file descriptor to use for standard out. A negative value indicates no standard out should be opened.

stderr_fd int32

Host file descriptor to use for standard error. A negative value indicates no standard error should be opened.

host_name string

Host name of this enclave.

current_working_directory string

Initial current working directory in enclave.

host_config HostConfig

System-specific enclave configuration. This configuration is expected to be the same for all enclaves running under the same instance of an OS.

enclave_assertion_authority_configs EnclaveAssertionAuthorityConfig[]

Enclave assertion authority configuration. If the enclave makes use of an assertion authority that requires configuration, a config should be listed here.

environment_variables EnvironmentVariable[]

Environment variables that getenv understands inside the enclave.

logging_config LoggingConfig

Configuration needed to initialize logging.

enable_fork bool

Whether fork (which reserves an extra thread inside the enclave) is enabled.


Input passed to an enclave during finalization.


Input passed to an enclave after it has been initialized with EnclaveConfig.


The configuration required to load an enclave. This message is extended for each backend supported by the Asylo primitive library. asylo::EnclaveLoader is passed an instance of this message for loading enclaves in Asylo.

Field Type Description
name string

Name of the enclave to be loaded.


An output message produced by an enclave for an invocation of its Run entry-point. This message can be used to send information out of the enclave back to an untrusted caller.

Field Type Description
status StatusProto

Contains status information for the Run invocation. A non-OK status may indicate an error in either trusted or untrusted space.


A POSIX signal event that is routed to an enclave signal handler.

Field Type Description
signum int32

Number of the signal.

code int32

Code of the signal describing cause of the signal. Refer to siginfo(3) for more information.

gregs uint64[]

General registers defined in |uc_mcontext|. Refer to sys/ucontext.h for more information.


Represents an environment variable’s value to communicate a baseline environment to getenv.

Field Type Description
name string

The name of the variable (e.g., as input to getenv).

value string

The initial value of the variable. An enclave can change the value later with e.g., setenv. The environment variable’s value is not changed by changes in the host environment. The host’s environment variable values are not inherited from the enclave.


A configuration message for the EnclaveManager to communicate with the attestation daemon.

Field Type Description
local_attestation_domain string

Local attestation domain of the enclave.


Initialization settings for the logging system in an enclave.

Field Type Description
vlog_level int32

Enclave logging levels for VLOG. Any VLOG with levels below or equal to this level will be logged, others will be ignored.

log_directory string

Directory under which to store enclave log files. Default: "/tmp/"