[seL4] seL4 in an SGX enclave?

Samuel Weiser samuel.weiser at iaik.tugraz.at
Tue Feb 27 21:42:57 AEDT 2018


Hi!

As Gernot mentioned, enclaves run in ring 3. There's currently no
possibility to implement something like kernel enclaves with SGX. To be
slightly off-topic: Instead of trying to run seL4 inside SGX, one can
think the other way round and use seL4 to augment SGX enclaves with
trusted platform services (e.g. http://arxiv.org/abs/1701.01061).

Best,
Sammey


On 2018-02-27 10:47, Corey Richardson wrote:
> This is email is me being kinda lazy. Does anyone know how challenging this
> would actually be to pull off? I'm interested in looking into it, but can't for a while.
>
> I feel like it makes sense to bootload some little stub that sets up seL4 as the only
> enclave in the system. I don't see any reason to have multiple enclaves when
> using seL4. But, from this, it should be possible to get a good static root of trust
> remote attestation on Google Cloud.
>
> (And also, can finally implement https://www.blackhat.com/docs/us-17/thursday/us-17-Swami-SGX-Remote-Attestation-Is-Not-Sufficient-wp.pdf)
>





More information about the Devel mailing list