Trusting Applications Launched by the Enclave

Applications running in an enclave may launch other processes, using syscalls like execve and fork. This section explains how the Anjuna SGX Runtime handles these new “child” applications.

execve

Applications may run other "child" applications (processes) using the execve syscall. This includes the exec(3) family of functions in libc, like execl and execvp. The child processes may be either trusted (will run in an enclave), or untrusted (will run as an unprotected process, outside of an enclave).

In the parent application’s manifest, you can list the signatures of executables that you expect to run in enclaves using the Anjuna SGX Runtime in the trusted_children field.

For example, if your program will execve the /bin/ls executable, you can compile its manifest template (ls.manifest.template.yaml) and calculate its signature by running the following commands:

$ anjuna-compile-manifest /bin/ls
Compiled manifest written to ls.manifest.sgx

$ anjuna-sign /bin/ls
<snip...>
Enclave measurement:
   f65984feb716dcba5cebf7b5a244eec23497401c70dad3cb736815d690020056
Signer measurement:
   980078c7ee8bad65463aa0157f62f79fa238662021844f421269bb28b28471a3
Signature written to ls.sig

Now you can add the signature file ls.sig to the trusted_children in the parent manifest template:

trusted_children:
- ls.sig  # assuming it is in the current working directory

Then the parent manifest can be compiled and signed as usual.

When the Anjuna SGX Runtime handles an execve syscall for /bin/ls, it will calculate the executable’s signature and compare it to ls.sig. If they match, /bin/ls will be run in a new enclave with the Anjuna SGX Runtime. Otherwise, it will be run as an unprotected child process.

fork

Applications may also copy themselves using the fork syscall. When the Anjuna SGX Runtime sees a fork, a new enclave is created to run the new process. In other words, forked processes are automatically protected by the Anjuna SGX Runtime.

fork and execve interaction

It is a common pattern to call fork followed by execve to spawn a new process. For example, this is the approach used by C posix_spawn (from spawn.h) and Python’s subprocess.Popen.

With the Anjuna SGX Runtime, this is an inefficient operation because the fork creates a new enclave, which is expensive. Then the execve creates another new enclave (or an unprotected process, depending on trusted_children) to actually run the process. The initial forked enclave is unused and destroyed.

Anjuna provides a Python package, anjuna.posix, which patches Python’s standard library to make this flow more efficient. If you encounter this performance issue in languages besides Python, contact support@anjuna.io for guidance.