Skip to content

oslab-ewha/enclave_base

BranchesTags

Repository files navigation

Remote Execution with Intel SGX and Remote Attestation

Secure Task Execution Framework

This repo demonstrates how local application tasks can be securely offloaded to a Trusted Execution Environment (TEE) on a privately owned remote server using Intel SGX. The system provides a complete workflow for enclave creation, remote attestation, secure channel establishment, and protected execution of offloaded tasks.

System Overview

  • Client: Submits computation tasks. Tasks can be safely offloaded to a secure enclave running on a remote execution agent.
  • Remote Execution Agent (TEE Gateway): Receives client tasks and forwards them to a remote SGX enclave. Performs attestation, key exchange, and secure channel setup.
  • Intel SGX Enclave (TEE): Executes sensitive or cooperative offloaded tasks inside an SGX enclave. The enclave protects memory regions (EPC) from access by the host OS or privileged administrators.

Modify or extend the logic depending on your offloading needs.

Build System Components

$ mkdir build
$ cd build
$ cmake ..
$ make

This produces the following binaries:

  • client – computation task submitter
  • execution_agent – Performs attestation + secure forwarding
  • enclave.signed – SGX enclave with embedded measurement & signature

Note: enclave.signed is produced after enclave signing (Step 3).

Build & Sign the SGX Enclave

Build the enclave shared object

$ make enclave

Sign the enclave (required for attestation)

$ sgx_sign sign -key enclave_private.pem \
                 -enclave enclave.so \
                 -out enclave.signed \
                 -config enclave.config.xml

The signing step produces:

  • MRENCLAVE: measurement of the enclave code
  • MRSIGNER: fingerprint of signing key

These values are used by the gateway to validate remote attestation.

Launch the Execution Agent and SGX Enclave

Terminal 1 — Launch Execution Agent

$ ./execution_agent

Terminal 2 — Launch SGX Enclave Host Loader

$ ./enclave_host ./enclave.signed

The host loader creates the enclave and exposes its RA (Remote Attestation) interface.

During startup:

  • The enclave creates a quote using Intel DCAP/EPID (depending on platform).
  • The gateway requests and verifies the quote (via Intel Attestation Service or local DCAP verifier).
  • After verification, a secure symmetric key is established.

When attestation completes, the gateway will print:

[OK] Remote enclave verified.
[OK] Secure channel established.

Run the client

$ ./client -a <execution_agent_ip>

If successful:

  • Tasks are encrypted at the execution agent
  • Decrypted only inside SGX enclave memory
  • Results are re-encrypted and sent back securely

Terminal output will confirm:

Task offloaded securely.
Enclave execution successful.
Returned result: <value>

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages