Skip to content

jovanbulck/bare-sgx

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github/workflows
.github/workflows
 
 
app
app
 
 
buildroot
buildroot
 
 
doc
doc
 
 
urts
urts
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Minimal SGX Enclave Development on Bare-Metal Linux Platforms CI License

bare-sgx-logo

This repository provides a minimal, fully customizable framework for developing Intel SGX enclaves directly on bare-metal Linux, without relying on bloated external SDKs. It offers a clean, low-level starting point for building minimalist enclaves in assembly or C, interfacing directly with the upstream Linux SGX driver.

By interacting directly with the SGX driver in the Linux kernel, bare-sgx removes the complexity and overhead of existing SGX SDKs and library OSs. The result is extremely small enclaves, often just a few pages, tailored to a specific purpose and excluding all other unnecessary code and features. Therefore, bare-sgx provides a truly minimal trusted computing base while avoiding fragile dependencies that could hinder portability or long-term reproducibility.

License. bare-sgx is free software, licensed under GPLv2. The initial code was forked from the selftests/sgx test enclave in the Linux kernel repository, following a discussion on the kernel mailing list.

❓ Use Cases

bare-sgx aims to enable innovative SGX enclave research, both offensive and defensive, and to improve the long-term reproducibility of research artifacts.

Example use cases include:

  • Developing minimal-trust enclaves with complete control over the trusted computing base, e.g., to support formal verification efforts.
  • Packaging research artifacts or proof-of-concepts without fragile and bloated SDK dependencies, relying solely on the stable Linux kernel interface to ensure long-term reproducibility and portability.
  • Rapid prototyping and experimentation with new attacks, defenses, and kernel extensions.
  • Minimal, self-contained enclave test framework for CI/CD integration (e.g., as used in the Pandora-SGX symbolic execution tool).

✨ Features

Untrusted runtime

  • Minimal pure-C untrusted runtime for building, signing, and loading minimal enclave images (packaged in a custom ELF format). The only dependencies are OpenSSL and the upstream /dev/sgx_enclave kernel driver.
  • SGX-Step integration for rapid attack prototyping, including single-stepping and controlled-channel attacks.
  • Buildroot integration for packaging bare-sgx enclaves in minimal, self-contained VM images with virtualized SGX support.
  • CI/CD pipeline for automated building and testing.

Trusted runtime

  • Minimal and fully customizable enclave skeletons in pure assembly with optional bootstrapping to C code.
  • Optional bare-trts trusted runtime (to be upstreamed), featuring:
    • Auto-generated secure bridge code for interfaces defined in Enclave Definition Language (EDL) via Intel's unmodified edger8r tool.
    • Minimal embedded malloc (current implementation from FreeRTOS).
  • Optional HACL* integration for formally verified cryptographic primitives (to be upstreamed)

🏁 Wishlist / Roadmap

  • More and improved example enclaves.
  • Support SGXS format for building and loading enclaves, replacing the custom ELF format currently used by the URTS loader. (Note: SGXS files can currently be extracted using sgx-tracer.)
  • Exception handling and AEX-Notify support (work in progress).
  • Formal verification.

About

Minimal SGX enclave development on bare-metal Linux platforms

Resources

Readme

License

GPL-2.0 license
Activity

Stars

8 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages