Trusting applications launched by the enclave

Applications running in an enclave may launch other processes, using syscalls like execve and fork. This section explains how the Anjuna SGX Runtime handles these new “child” applications.

On this page, some code blocks are shortened to emphasize only the relevant configuration. A line with <snip>…​ indicates that some lines have been removed from the full configuration.

execve

Applications may run other "child" applications (processes) using the execve syscall. This includes the exec(3) family of functions in libc, like execl and execvp. The child processes may be either trusted (will run in an enclave), or untrusted (will run as an unprotected process, outside of an enclave).

In the parent application’s manifest, you can list the signatures of executables that you expect to run in enclaves using the Anjuna SGX Runtime in the trusted_children field.

For example, if your program will execve the /bin/ls executable, you can compile its manifest template (ls.manifest.template.yaml) and calculate its signature by running the following commands:

$ anjuna-compile-manifest /bin/ls
Compiled manifest written to ls.manifest.sgx

$ anjuna-sign /bin/ls
<snip...>
Enclave measurement:
   f65984feb716dcba5cebf7b5a244eec23497401c70dad3cb736815d690020056
Signer measurement:
   980078c7ee8bad65463aa0157f62f79fa238662021844f421269bb28b28471a3
Signature written to ls.sig

Now you can add the signature file ls.sig to the trusted_children in the parent manifest template:

trusted_children:
- ls.sig  # assuming it is in the current working directory

Then the parent manifest can be compiled and signed as usual.

When the Anjuna SGX Runtime handles an execve syscall for /bin/ls, it will run /bin/ls in a new enclave.

fork

Applications may also copy themselves using the fork syscall. When the Anjuna SGX Runtime sees a fork, a new enclave is created to run the new process. In other words, forked processes are automatically protected by the Anjuna SGX Runtime.

fork and execve interaction

It is a common pattern to call fork followed by execve to spawn a new process. For example, this is the approach used by C posix_spawn (from spawn.h) and Python’s subprocess.Popen.

With the Anjuna SGX Runtime, this is an inefficient operation because the fork creates a new enclave, which is expensive. Then the execve creates another new enclave (or an unprotected process, depending on trusted_children) to actually run the process. The initial forked enclave is unused and destroyed.

Anjuna provides a Python package, anjuna.posix, which patches Python’s standard library to make this flow more efficient. If you encounter this performance issue in languages besides Python, contact support@anjuna.io for guidance.

Security concerns

It is possible for an application to fork and execve itself (i.e., the same process of the parent enclave). In this type of scenario, it is difficult to extend trust from the parent to the child, as the child’s measurements might be different (e.g., if a different manifest was used to launch them). Therefore, it is recommended that sensitive information (encrypted files, secret keys) be accessible only to measured enclaves, either via Anjuna Policy Manager policies or local keys that are tied to the enclave’s measurements.