Topic: AES-NI and Intel SGX

When does WolfSSL plan to leverage AES-NI within their Intel SGX library? Just wondering. Right now, I'm forced to use a mixture of SGX SSL and WolfSSL, since SGX SSL has AES-NI support, but WolfSSL has better asymmetric support, but I'd rather have to deal with just one crypto module if possible.

Share

Re: AES-NI and Intel SGX

abbey_chase,

Thank you so much for inquiring. By default aesni is not enabled in SGX but you should be able to turn it on by adding the appropriate defines in Wolfssl_C_Extra_Flags section of:

wolfssl-4.3.0/IDE/LINUX-SGX/sgx_t_static.mk
wolfssl-examples/SGX_Linux/sgx_t.mk
wolfssl-examples/SGX_Linux/sgx_u.mk

The setting to add would be:

Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DWOLFSSL_AESNI # Add this setting to enable AESNI support

Let us know if you have any trouble getting it setup.

Warm Regards,

K

Re: AES-NI and Intel SGX

Kaleb J. Himes wrote:

abbey_chase,

Thank you so much for inquiring. By default aesni is not enabled in SGX but you should be able to turn it on by adding the appropriate defines in Wolfssl_C_Extra_Flags section of:

wolfssl-4.3.0/IDE/LINUX-SGX/sgx_t_static.mk
wolfssl-examples/SGX_Linux/sgx_t.mk
wolfssl-examples/SGX_Linux/sgx_u.mk

The setting to add would be:

Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DWOLFSSL_AESNI # Add this setting to enable AESNI support

Let us know if you have any trouble getting it setup.

Warm Regards,

K

Thank you. Is the WOLFSSL_AESNI define one of my different defines that I should include if I want to enable certain other features (i.e. when I ran the ./configure executable from the root of WolfSSL, I specified the following flags:

--enable-aesccm --enable-aesctr --enable-aesofb --enable-aescfb --enable-aesni --enable-intelasm --enable-intelrand --enable-keygen --enable-certgen --enable-certreq --enable-certext --enable-hkdf --enable-x963kdf --enable-curve25519 --enable-ed25519 --enable-psk --enable-aeskeywrap

Do I have to include similar flags as -DWOLFSSL_AESNI for each of the flags above?

Share

4 (edited by abbey_chase 2020-04-22 18:40:35)

Re: AES-NI and Intel SGX

Kaleb J. Himes wrote:

abbey_chase,

Thank you so much for inquiring. By default aesni is not enabled in SGX but you should be able to turn it on by adding the appropriate defines in Wolfssl_C_Extra_Flags section of:

wolfssl-4.3.0/IDE/LINUX-SGX/sgx_t_static.mk
wolfssl-examples/SGX_Linux/sgx_t.mk
wolfssl-examples/SGX_Linux/sgx_u.mk

The setting to add would be:

Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DWOLFSSL_AESNI # Add this setting to enable AESNI support

Let us know if you have any trouble getting it setup.

Warm Regards,

K

BTW, if I specify -DWOLFSSL_AESNI, the I get compiler errors because the following include statements all fail because the associated files do no exist anywhere in the WolfSSL tree structure

#include <wmmintrin.h>
#include <emmintrin.h>
#include <smmintrin.h>

Also, according to https://github.com/wolfSSL/wolfssl/tree … LINUX-SGX, at the bottom of the instruction it reads that AES-NI instructions for SGX haven't been added yet. Is that a misprint?

Share

Re: AES-NI and Intel SGX

abbey,

No not at all! In fact that is exactly what ./configure is doing when you tell configure to "--enable-aesni" the configure script writes the option "#define WOLFSSL_AESNI" into the file "options.h" which is then consumed by the wolfSSL library to know the build settings to use.

Since SGX is using a makefile you just have to specify the same flags the ./configure script would output. So if you want SGX library to have the same settings as the configure you ran you can first run ./configure with the desired settings. Open wolfssl/options.h and copy each #define line into the SGX makefiles with a "-D" prepended instead of "#define ". (NOTE you have to update all three makefiles, the library and the two makefiles for the examples trusted and untrusted (sgx_t.mk == sgx trusted makefile and sgx_u.mk == sgx untrusted makefile).

Warm Regards,

K

Once