Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
451dd32
Support intel-sgx-sdk 2.20
volcano0dr Aug 23, 2023
e21a305
Support intel-dcap 1.17
volcano0dr Aug 24, 2023
ae7a487
Update dockerfile
volcano0dr Aug 24, 2023
6f16f4a
Support intel-sgx-sdk 2.21 and DCAP 1.18
volcano0dr Sep 1, 2023
04825c1
Fix try_error macro in sgx_trts
volcano0dr Sep 14, 2023
1b80455
Fix ExceptionInfo alignment to 64 bytes
volcano0dr Sep 20, 2023
9b37537
Fix note.sgxmeta section size
volcano0dr Oct 11, 2023
05ead98
Support rust nightly-2023-11-17
volcano0dr Nov 26, 2023
ab10b5f
Merge branch 'emm-dev' into v2.0.0-preview-11-17
lanfeust69 Jan 23, 2024
d4f6781
Introduce use_sgx_sdk feature
lanfeust69 Jan 23, 2024
ec23fbf
Expose sgx_trts::veh in std
lanfeust69 Feb 15, 2024
ad57a8f
Simplify use of sgx_urts
lanfeust69 Feb 22, 2024
32bcb87
Make teaklave build with rust 1.84
lanfeust69 Nov 19, 2024
1a777e3
Add more headers to complement SGX SDK ones (#1)
edwardbr Dec 17, 2024
fb01dae
Support intel-sgx-sdk 2.25
lanfeust69 Jan 21, 2025
30fb2ff
Merge commit '92e3703d5ad134f0a5e9870700c640044ca70468' into privasys
bfoing Feb 24, 2026
b742e7f
chore: Fix Merge
bfoing Feb 24, 2026
00b4407
Fix IPP CPUID initialization to support some AVX512 advanced instruct…
volcano0dr Feb 7, 2024
613f1d2
Reimplement sgx_read_rand for ucrypto
volcano0dr Mar 26, 2024
a3df5da
fix trim_range_commit bug
volcano0dr Mar 11, 2025
2f48a0b
Fixed dereferencing pointers in untrusted memory
volcano0dr Apr 11, 2025
a28bb7d
license: fix and pass skywalking-eyes check
m4sterchain Jul 20, 2025
d20e6e6
polish readme.md
m4sterchain Jul 20, 2025
a1e740c
doc: update branding name
m4sterchain Aug 4, 2025
7036457
doc: update for graduation
m4sterchain Sep 3, 2025
088e431
Support Intel SGX SDK 2.27
bfoing Feb 25, 2026
7e3d502
Fix Rust 1.84 / LLVM 19 compatibility
bfoing Feb 25, 2026
020d102
Support Rust 1.93 (nightly-2025-12-01) / LLVM 21
bfoing Feb 25, 2026
fcf327d
Fix Rust nightly-2025-12-01 build: restore extern crates, add float m…
bfoing Feb 25, 2026
91b7664
Add sgx_sysroot CMake target for building trusted Rust rlibs
bfoing Feb 25, 2026
70bbed3
fix: Toolchain
bfoing Feb 28, 2026
0702dcc
fix: resolve all warnings for Rust nightly-2025-12-01
bfoing Mar 20, 2026
ab3ad7b
feat(toolchain): port to Rust nightly-2026-06-21 / LLVM 22
bfoing Jun 22, 2026
b34920b
fix(sgx_tstd): sync prelude macro re-exports with nightly-2026-06-21 std
bfoing Jun 22, 2026
c328dad
fix(sgx_tstd): export std-defined macros (panic/vec/format/print/...)…
bfoing Jun 22, 2026
2330b2a
feat: support Intel SGX SDK 2.29 + remove EPID (sgx_key_exchange)
bfoing Jun 22, 2026
69dc130
Merge remote-tracking branch 'apache/main'
bfoing Jun 22, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
101 changes: 101 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
cmake_minimum_required(VERSION 3.20)
project(teaclave-sgx-sdk LANGUAGES C CXX)

include(GNUInstallDirs)

# =============================================================================
# Options
# =============================================================================
option(BUILD_SYSROOT "Build the SGX sysroot (trusted Rust rlibs)" ON)
option(BUILD_URTS "Build sgx_urts (untrusted runtime)" ON)

set(SGX_TARGET "x86_64-unknown-linux-sgx" CACHE STRING
"Rust target triple for the SGX enclave")
set(SGX_SYSROOT_FEATURES "untrusted_fs;untrusted_time;net;thread" CACHE STRING
"Semicolon-separated std features to enable in the sysroot build")
set(SGX_SYSROOT_OUTPUT "" CACHE PATH
"Where to install the sysroot (default: <source>/sysroot)")

# =============================================================================
# Derived paths
# =============================================================================
set(SDK_ROOT ${CMAKE_CURRENT_SOURCE_DIR})
set(TARGET_JSON ${SDK_ROOT}/rustlib/${SGX_TARGET}.json)

if(SGX_SYSROOT_OUTPUT STREQUAL "")
set(SGX_SYSROOT_OUTPUT ${SDK_ROOT}/sysroot)
endif()

if(CMAKE_BUILD_TYPE STREQUAL "Release")
set(CARGO_PROFILE_FLAG "--release")
set(CARGO_OUT_DIR "release")
else()
set(CARGO_PROFILE_FLAG "")
set(CARGO_OUT_DIR "debug")
endif()

# Convert semicolon-separated list to comma-separated for cargo --features
string(REPLACE ";" "," SGX_SYSROOT_FEATURES_CSV "${SGX_SYSROOT_FEATURES}")

# =============================================================================
# Target: sgx_sysroot — builds trusted Rust rlibs for x86_64-unknown-linux-sgx
# =============================================================================
if(BUILD_SYSROOT)
set(SYSROOT_STAMP ${CMAKE_CURRENT_BINARY_DIR}/sgx_sysroot.stamp)
set(SYSROOT_LIB_DIR ${SGX_SYSROOT_OUTPUT}/lib/rustlib/${SGX_TARGET}/lib)

add_custom_command(
OUTPUT ${SYSROOT_STAMP}
COMMENT "Building SGX sysroot (${CARGO_OUT_DIR})..."
COMMAND cargo build ${CARGO_PROFILE_FLAG}
-Zbuild-std=core,alloc
-Zjson-target-spec
--target ${TARGET_JSON}
--features "${SGX_SYSROOT_FEATURES_CSV}"
COMMAND ${CMAKE_COMMAND} -E rm -rf ${SGX_SYSROOT_OUTPUT}
COMMAND ${CMAKE_COMMAND} -E make_directory ${SYSROOT_LIB_DIR}
COMMAND ${CMAKE_COMMAND} -E copy_directory
${SDK_ROOT}/rustlib/std/target/${SGX_TARGET}/${CARGO_OUT_DIR}/deps
${SYSROOT_LIB_DIR}
COMMAND ${CMAKE_COMMAND} -E touch ${SYSROOT_STAMP}
WORKING_DIRECTORY ${SDK_ROOT}/rustlib/std
VERBATIM
)

add_custom_target(sgx_sysroot
DEPENDS ${SYSROOT_STAMP}
)

# Convenience: expose the sysroot path so consumers can reference it
set(SGX_SYSROOT_PATH ${SGX_SYSROOT_OUTPUT} CACHE INTERNAL
"Path to the installed SGX sysroot")
endif()

# =============================================================================
# Target: sgx_urts_rust — builds untrusted runtime
# =============================================================================
if(BUILD_URTS)
message(STATUS "sgx_urts_rust")

set(SGX_URTS_OUTPUT ${SDK_ROOT}/sgx_urts/target/release/libsgx_urts.a)
add_custom_command(
OUTPUT ${SGX_URTS_OUTPUT}
COMMAND cargo build --release
WORKING_DIRECTORY ${SDK_ROOT}/sgx_urts
)

add_custom_target(sgx_urts_target
DEPENDS ${SGX_URTS_OUTPUT}
)

add_library(sgx_urts_rust STATIC IMPORTED GLOBAL)
add_dependencies(sgx_urts_rust sgx_urts_target)

set_target_properties(sgx_urts_rust
PROPERTIES
IMPORTED_LOCATION "${SGX_URTS_OUTPUT}"
)

# IMPORTED libraries cannot be installed, so we just copy the files
install(FILES ${SGX_URTS_OUTPUT} DESTINATION ${CMAKE_INSTALL_LIBDIR})
endif()
4 changes: 4 additions & 0 deletions buildenv.mk
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ else
COMMON_FLAGS += -fstack-protector-strong
endif

ifdef _TD_MIGRATION
COMMON_FLAGS += -D_TD_MIGRATION
endif

COMMON_FLAGS += -ffunction-sections -fdata-sections

# turn on compiler warnings as much as possible
Expand Down
26 changes: 20 additions & 6 deletions common/inc/internal/arch.h
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ flags definitions
typedef struct _tcs_t
{
uint64_t reserved0; /* (0) */
uint64_t flags; /* (8)bit 0: DBGOPTION */
uint64_t flags; /* (8)bit 0: DBGOPTION, bit 1: AEXNOTIFY */
uint64_t ossa; /* (16)State Save Area */
uint32_t cssa; /* (24)Current SSA slot */
uint32_t nssa; /* (28)Number of SSA slots */
Expand Down Expand Up @@ -131,10 +131,14 @@ typedef struct _exit_info_t
#define SE_VECTOR_BP 3
#define SE_VECTOR_BR 5
#define SE_VECTOR_UD 6
#define SE_VECTOR_GP 13
#define SE_VECTOR_PF 14
#define SE_VECTOR_MF 16
#define SE_VECTOR_AC 17
#define SE_VECTOR_XM 19

#define SSA_AEXNOTIFY_MASK 0x1U /* Only set the first bit */

typedef struct _ssa_gpr_t
{
REGISTER( ax); /* (0) */
Expand All @@ -153,16 +157,26 @@ typedef struct _ssa_gpr_t
uint64_t r13; /* (104) */
uint64_t r14; /* (112) */
uint64_t r15; /* (120) */
REGISTER(flags); /* (128) */
REGISTER( ip); /* (136) */
REGISTER( sp_u); /* (144) untrusted stack pointer. saved by EENTER */
REGISTER( bp_u); /* (152) untrusted frame pointer. saved by EENTER */
REGISTER(flags); /* (128) */
REGISTER( ip); /* (136) */
REGISTER( sp_u); /* (144) untrusted stack pointer. saved by EENTER */
REGISTER( bp_u); /* (152) untrusted frame pointer. saved by EENTER */
exit_info_t exit_info; /* (160) contain information for exits */
uint32_t reserved; /* (164) padding to multiple of 8 bytes */
uint8_t reserved[3]; /* (164) padding */
uint8_t aex_notify; /* (167) AEX Notify */
uint64_t fs; /* (168) FS register */
uint64_t gs; /* (176) GS register */
} ssa_gpr_t;

typedef struct _misc_exinfo
{
uint64_t maddr; // address for #PF, #GP.
uint32_t errcd;
uint32_t reserved;
} misc_exinfo_t;

#define MISC_BYTE_SIZE sizeof(misc_exinfo_t)

typedef uint64_t si_flags_t;

#define SI_FLAG_NONE 0x0
Expand Down
3 changes: 3 additions & 0 deletions common/inc/internal/inst.h
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,10 @@ typedef enum {
SE_ERESUME,
SE_EEXIT,
SE_EACCEPT,
SE_EMODPE,
SE_EACCEPTCOPY,
SE_EVERIFYREPORT2 = 0x8,
SE_EDECCSSA = 0x9,
SE_LAST_RING3,

SE_ECREATE = 0x0,
Expand Down
12 changes: 6 additions & 6 deletions common/inc/internal/metadata.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@
#pragma pack(1)

/* version of metadata */
#define MAJOR_VERSION 2 //MAJOR_VERSION should not larger than 0ffffffff
#define MINOR_VERSION 4 //MINOR_VERSION should not larger than 0ffffffff
#define MAJOR_VERSION 3 //MAJOR_VERSION should not larger than 0ffffffff
#define MINOR_VERSION 0 //MINOR_VERSION should not larger than 0ffffffff

#define SGX_2_ELRANGE_MAJOR_VERSION 12
#define SGX_2_ELRANGE_MAJOR_VERSION 13
#define SGX_1_ELRANGE_MAJOR_VERSION 11

#define SGX_MAJOR_VERSION_GAP 10
Expand Down Expand Up @@ -71,18 +71,17 @@
#define TCS_POLICY_BIND 0x00000000 /* If set, the TCS is bound to the application thread */
#define TCS_POLICY_UNBIND 0x00000001

#define MAX_SAVE_BUF_SIZE 2632

#define TCS_NUM_MIN 1
#define SSA_NUM_MIN 2
#define SSA_FRAME_SIZE_MIN 1
#define SSA_FRAME_SIZE_MAX 2
#define SSA_FRAME_SIZE_MAX 4
#define STACK_SIZE_MIN 0x0002000 /* 8 KB */
#define STACK_SIZE_MAX 0x0040000 /* 256 KB */
#define HEAP_SIZE_MIN 0x0001000 /* 4 KB */
#define HEAP_SIZE_MAX 0x1000000 /* 16 MB */
#define RSRV_SIZE_MIN 0x0000000 /* 0 KB */
#define RSRV_SIZE_MAX 0x0000000 /* 0 KB */
#define USER_REGION_SIZE 0x0000000 /* 0 KB */
#define DEFAULT_MISC_SELECT 0
#define DEFAULT_MISC_MASK 0xFFFFFFFF
#define ISVFAMILYID_MAX 0xFFFFFFFFFFFFFFFFULL
Expand Down Expand Up @@ -127,6 +126,7 @@ typedef enum
#define LAYOUT_ID_RSRV_MIN (20)
#define LAYOUT_ID_RSRV_INIT (21)
#define LAYOUT_ID_RSRV_MAX (22)
#define LAYOUT_ID_USER_REGION (23)

extern const char * layout_id_str[];

Expand Down
14 changes: 10 additions & 4 deletions common/inc/sgx_attributes.h
Original file line number Diff line number Diff line change
Expand Up @@ -40,24 +40,30 @@
#define SGX_FLAGS_MODE64BIT 0x0000000000000004ULL /* If set, then the enclave is 64 bit */
#define SGX_FLAGS_PROVISION_KEY 0x0000000000000010ULL /* If set, then the enclave has access to provision key */
#define SGX_FLAGS_EINITTOKEN_KEY 0x0000000000000020ULL /* If set, then the enclave has access to EINITTOKEN key */
#define SGX_FLAGS_KSS 0x0000000000000080ULL /* If set enclave uses KSS */
#define SGX_FLAGS_KSS 0x0000000000000080ULL /* If set, then the enclave uses KSS */
#define SGX_FLAGS_AEX_NOTIFY 0x0000000000000400ULL /* If set, then the enclave enables AEX Notify */

#define SGX_FLAGS_NON_CHECK_BITS 0x00FF000000000000ULL /* BIT[55-48] will not be checked */

/* XSAVE Feature Request Mask */
#define SGX_XFRM_LEGACY 0x0000000000000003ULL /* Legacy XFRM which includes the basic feature bits required by SGX, x87 state(0x01) and SSE state(0x02) */
#define SGX_XFRM_AVX 0x0000000000000006ULL /* AVX XFRM which includes AVX state(0x04) and SSE state(0x02) required by AVX */
#define SGX_XFRM_AVX512 0x00000000000000E6ULL /* AVX-512 XFRM - not supported */
#define SGX_XFRM_AVX512 0x00000000000000E6ULL /* AVX-512 XFRM */
#define SGX_XFRM_MPX 0x0000000000000018ULL /* MPX XFRM - not supported */
#define SGX_XFRM_PKRU 0x0000000000000200ULL /* PKRU state */
#define SGX_XFRM_AMX 0x0000000000060000ULL /* AMX XFRM, including XTILEDATA(0x40000) and XTILECFG(0x20000) */

#define SGX_XFRM_RESERVED (~(SGX_XFRM_LEGACY | SGX_XFRM_AVX | SGX_XFRM_AVX512 | SGX_XFRM_PKRU))
#define SGX_XFRM_RESERVED (~(SGX_XFRM_LEGACY | SGX_XFRM_AVX | SGX_XFRM_AVX512 | SGX_XFRM_PKRU | SGX_XFRM_AMX))

typedef struct _attributes_t
{
uint64_t flags;
uint64_t xfrm;
} sgx_attributes_t;

/* define MISCSELECT - all bits are currently reserved */
/* Define MISCSELECT
* bit 0: EXINFO
* bit 31-1: reserved(0) */
typedef uint32_t sgx_misc_select_t;

typedef struct _sgx_misc_attribute_t {
Expand Down
3 changes: 3 additions & 0 deletions common/inc/sgx_report2.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@
#ifndef _SGX_REPORT2_H_
#define _SGX_REPORT2_H_

#include <stdint.h>

#define TEE_HASH_384_SIZE 48 /* SHA384 */
#define TEE_MAC_SIZE 32 /* Message SHA 256 HASH Code - 32 bytes */

Expand Down Expand Up @@ -67,6 +69,7 @@ typedef struct _tee_attributes_t
#define TEE_REPORT2_TYPE 0x81 /* TEE Report Type2 */
#define TEE_REPORT2_SUBTYPE 0x0 /* SUBTYPE for Report Type2 is 0 */
#define TEE_REPORT2_VERSION 0x0 /* VERSION for Report Type2 is 0 */
#define TEE_REPORT2_VERSION_SERVICETD 0x1 /* VERSION for Report Type2 which mr_servicetd is used */

typedef struct _tee_report_type_t {
uint8_t type; /* Trusted Execution Environment(TEE) type:
Expand Down
26 changes: 24 additions & 2 deletions common/inc/sgx_tprotected_fs.h
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,28 @@ SGX_FILE* SGXAPI sgx_fopen_auto_key(const char* filename, const char* mode);
*/
SGX_FILE* SGXAPI sgx_fopen_integrity_only(const char* filename, const char* mode);

/* sgx_fopen_ex
* Purpose: Expert version of sgx_fopen/sgx_fopen_auto_key which is used if you want to control the internal `cache size`.
* The specified `cache size` must be page (4KB by default) aligned.
* Note that `sgx_fexport_auto_key` and `sgx_fimport_auto_key` don't support configuring `cache_size` right now
*
* Parameters:
* filename - [IN] the name of the file to open/create.
* mode - [IN] open mode. only supports 'r' or 'w' or 'a' (one and only one of them must be present), and optionally 'b' and/or '+'.
* key - [IN] encryption key that will be used for the file encryption.
* If it's NULL, we will swtich back to `sgx_fopen_auto_key and use enclave's seal key to protect the file
* NOTE - the key is actually used as a KDK (key derivation key) and only for the meta-data node, and not used directly for the encryption of any part of the file
* this is important in order to prevent hitting the key wear-out problem, and some other issues with GCM encryptions using the same key
* cache_size - [IN] Internal cache size in byte, which used to cache R/W data in enclave before flush to actual file
* It must larger than default cache size (192KB), and must be page (4KB by default) aligned
* a) Please make sure enclave heap is enough for the `cache`, e.g. Configure enough heap in enclave config file
* b) All the data in cache may lost after exeception, please try to call `sgx_fflush` explicitly to avoid data loss
*
* Return value:
* SGX_FILE* - pointer to the newly created file handle, NULL if an error occurred - check errno for the error code.
*/
SGX_FILE* SGXAPI sgx_fopen_ex(const char* filename, const char* mode, const sgx_key_128bit_t *key, const uint16_t key_policy, const uint64_t cache_size);

/* sgx_fwrite
* Purpose: write data to a file (see c++ fwrite documentation for more details).
*
Expand Down Expand Up @@ -276,7 +298,7 @@ int32_t SGXAPI sgx_fexport_auto_key(const char* filename, sgx_key_128bit_t *key)
* Return value:
* int32_t - result, 0 - success, 1 - there was an error, check errno for the error code
*/
int32_t SGXAPI sgx_fimport_auto_key(const char* filename, const sgx_key_128bit_t *key);
int32_t SGXAPI sgx_fimport_auto_key(const char* filename, const sgx_key_128bit_t *key, const uint16_t key_policy);


/* sgx_fclear_cache
Expand Down Expand Up @@ -316,7 +338,7 @@ int32_t SGXAPI sgx_fget_mac(SGX_FILE* stream, sgx_aes_gcm_128bit_tag_t* mac);
* Return value:
* int32_t - result, 0 - success, -1 - there was an error, check sgx_ferror for error code
*/
int32_t SGXAPI sgx_rename_meta(SGX_FILE* stream, const char* old_name, const char* new_name);
int32_t SGXAPI sgx_frename(SGX_FILE* stream, const char* old_name, const char* new_name);

#ifdef __cplusplus
}
Expand Down
Loading