View on GitHub

Open Enclave SDK

Build Trusted Execution Environment based applications to help protect data in use with an open source SDK that provides consistent API surface across enclave technologies as well as all platforms from cloud to edge.

What is Open Enclave SDK?

Confidential computing is an ongoing effort to protect data throughout its lifecycle at rest, in transit and now in use. With the use of Trust Execution Environments, customers can build applications that protect data from outside access while in use. Open Enclave SDK is an open source SDK targeted at creating a single unified enclaving abstraction for developer to build Trusted Execution Environment (TEEs) based applications. As TEE technology matures and as different implementations arise, the Open Enclave SDK is committed to supporting an API set that allows developers to build once and deploy on multiple technology platforms, different environments from cloud to hybrid to edge, and for both Linux and Windows.

Trusted Execution Environment(TEE) Based Application Development

An enclave application partitions itself into two components (1) an untrusted component (called the host) and (2) a trusted component (called the enclave). The host component runs unmodified on the untrusted operating system, while the trusted component runs within the enclave, the protected container provided by a TEE implementation. These protections allow enclaves to perform secure computations with assurances that secrets will not be compromised.

Core Tenets

Universal

Generalize enclave application model to minimize hardware/software specific concepts

Pluggable

Componentization to support desired runtimes and crypto libraries

Standardized

Remove hardware vendor specific signing and verification requirements

Multi-platform

Design with all software platforms, Windows and Linux, in mind

Compatible

Easier enablement of redistributable applications

Open

Open source and a standard for secure enclave-based application development


Supported SDK Functionality

✔Enclave creation and management

Function calls to manage the lifecycle of an enclave within your application

✔Enclave measurement and identity

Expressions of enclave measurement and identity

✔Communication

Mechanisms for defining call-ins and call-outs and the data marshalling associated with them

✔System primitives

System primitives exposed by enclave runtime, such as thread and memory management

✔Sealing

Functions to support persistence of secrets

✔Attestation

Functions to support verification of identity

✔Runtime and cryptographic libraries

Pluggable libraries to provide the necessary language and cryptographic support within an enclave


New Features in Current Version

With release 0.4, we are excited to provide support for:

Coming soon: Arm TrustZone support in Linux and both Intel SGX and TrustZone support in Windows!

Getting Started

Deploy a DC-series Virtual Machine in Azure

Provision an Azure Confidential Computing VM with Open Enclave SDK preinstalled

Install the SDK Package

Install the Open Enclave SDK package on any SGX FLC capable machine

Clone the Repo

Clone the Open Enclave SDK repo