The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications. The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library.
This branch supports the OpenSSL 3.0 series, but works in 1.1.1 compatible mode.
See License.txt for details.
- For details on library architecture: Architecture overview
- For details on using the libraries, please refer to the:
- Microsoft Visual Studio 2019
- Perl
- NASM (Netwide Assembler)
- Intel(R) SGX Windows latest release, including SDK, PSW, and driver
(Note: Perl, NASM need to be included in machine's PATH variable)
To build the Intel® SGX SSL package in Windows OS:
- Download the OpenSSL package into the openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
- Download and install the latest SGX SDK from Intel Developer Zone. You can find the installation guide in the same website.
- Change the directory to the SGXSSL path and enter the following command:
build_all.cmd <OPENSSL_VERSION> [default == openssl-3.0.17]
This builds the Intel® SGX SSL libraries (libsgx_tsgxssl.lib, libsgx_usgxssl.lib, libsgx_tsgxssl_crypto.lib) that can be found in package/lib/{Win32|X64}/{debug|release}/. The version with CVE-2020-0551 mitigation enabled can be found in package/lib/X64/{CVE-2020-0551-CF-Release|CVE-2020-0551-Load-Release}/.
- Perl
- Toolchain with mitigation (refer to SGX Linux README)
- Intel(R) SGX Linux latest release, including SDK and PSW.
To build the Intel® SGX SSL package in Linux OS:
- Download the OpenSSL 3.0.* package into openssl_source/ directory. (tar.gz package, e.g. openssl-3.0.*.tar.gz)
- Download and install the latest SGX SDK from 01.org. You can find the installation guide in the same website.
- Source SGX SDK's environment variables.
- Change into the Linux/ directory and run:
make all test
This builds and tests the Intel® SGX SSL libraries (libsgx_tsgxssl.a, libsgx_usgxssl.a, libsgx_tsgxssl_crypto.a), which can be found in package/lib64/. The Intel® SGX SSL trusted libraries (libsgx_tsgxssl.lib, libsgx_tsgxssl_crypto.lib) with CVE-2020-0551 mitigation enabled can be found in package/lib64/{cve_2020_0551_cf|cve_2020_0551_load}/.
- DEBUG={1,0}: Libraries build mode, with debug symbols or without. Default
0. - NO_THREADS={1,0}: Enable
no-threadsin the OpenSSL's build configuration options. Default0. - SGX_MODE={HW,SIM}: User can take
SIMto run the unit test on non-SGX platform if necessary. DefaultHW. - DESTDIR=<PATH>: Directory realpath to install Intel® SGX SSL libraries in. Default
/opt/intel/sgxssl/. - VERBOSE={1,0}: Makefile verbose mode. Print compilation commands before executing it. Default
0. - OSSL3ONLY={1,0}: Use only OpenSSL 3.x APIs, and legacy functions will not be valid. Default
0. - FIPS={1,0}: Use the OpenSSL FIPS provider as an experimental feature. Default
0.
To install Intel® SGX SSL libraries in Linux OS, run:
make all test
sudo make install
To use the trusted cryptography library with SGX SSL/OpenSSL 3.*, especially for the multithreaded enclaves, you may need to increase the enclave heap size adjusting the enclave signing configuration XML file:
...
<HeapMaxSize>...</HeapMaxSize>
...
As an experimental feature, the SGX SDK supports building the SGX SSL library using the OpenSSL FIPS provider, instead of the default provider. Note: This feature is only supported on Linux and OpenSSL 3.1.6. You must download two separate OpenSSL packages: one from the OpenSSL 3.0 series and one for OpenSSL 3.1.6. To build and install the Intel® SGX SSL package and the OpenSSL FIPS provider run:
make all FIPS=1
sudo make install
You may build and run one or both test programs that utilize the FIPS provider. The FIPS=1 option must be specified; otherwise, a linker error will occur.
make test FIPS=1
make fips_test FIPS=1