secure-xgboost icon indicating copy to clipboard operation
secure-xgboost copied to clipboard

Published 20 hours ago verified publisher icon mc2-project

Some questions about the use of enclave

Open DylanWangWQF opened this issue 3 years ago • 13 comments

Hi, everyone! I have a question about the operations inside the enclave.

As far as I know, OpenEnclave currently does not support fstream inside the enclave. So how should we load the file content inside the enclave? (C/C++). And for other functions which are not supported in OpenEnclave? Are there some Docs to introduce these codes?

BTW, are there any Docs to introduce the use of Oblivious Primitives such as oassign(), osort() in secure-XGBoost?

Thank you in advance!

DylanWangWQF avatar Jun 13 '21 22:06 DylanWangWQF

Hi @DylanWangWQF, thanks for your interest in our project!

Regarding loading files inside the enclave, we load the host file system module when initializing an enclave, which enables us to call functions like fopen and fread within the enclave.

For some more information on the oblivious primitives we use, please see section 6 of our paper.

chester-leung avatar Jun 14 '21 01:06 chester-leung

Many thanks for your help! @chester-leung I will study this and figure out how it works.

DylanWangWQF avatar Jun 15 '21 06:06 DylanWangWQF

Hi @chester-leung , Sry for reopening this issue, I have another question.

Now, I want to link the NTL and GMP library inside the enclave. Could you tell me how do you use other libraries inside the enclave in this project?

For the AVX2 instructions in this project (#include <intrinsics/immintrin.h>), can we use it directly inside the enclave? Since I didn't find related docs to introduce it, I'm confusing to understand the mechanism by reading the code.

Thank you in advance!

DylanWangWQF avatar Jun 17 '21 04:06 DylanWangWQF

@DylanWangWQF in general, if you want to link other libraries into the enclave, you can link them in CMakeLists.txt. See here for an example of how we linked an external library (spdlog) for usage within the enclave. Some libraries may not be completely compatible to work inside the enclave, e.g. some syscalls aren't supported, so you may have to go in and remove/modify those functions if you don't need them.

My colleague @podcastinator will answer your question about AVX2 instructions.

What is your use case here? Maybe we can work with you to build something if you're willing to contribute back to the open source.

chester-leung avatar Jun 17 '21 17:06 chester-leung

Hi @DylanWangWQF, yes, you can use the AVX2 instructions directly inside the enclave. Please see https://github.com/mc2-project/secure-xgboost/blob/master/include/enclave/obl_primitives.h for examples. (You will need to set the CMake flag USE_AVX2 to enable the use of AVX instructions inside the enclave -- this causes the enclave target to be compiled with the requisite -mavx2 compiler flag)

podcastinator avatar Jun 17 '21 17:06 podcastinator

@podcastinator Many thanks for your reply! I will study the use of AVX2 in this project.

@chester-leung Currently, I'm working on the combination of HElib and OE. As you said, I have to link other libraries and consider the compatibility inside the enclave.

DylanWangWQF avatar Jun 22 '21 07:06 DylanWangWQF

@DylanWangWQF Out of curiosity, if you can tell, why are you using homomorphic encryption inside of an enclave? I haven't seen such a use-case before.

ryanleh avatar Jun 22 '21 15:06 ryanleh

@ryanleh I'd like to do some pre-computation based on HE outside the enclave. Then decrypt it inside the enclave.

May I ask how can I use the module oe_load_module_host_file_system in my sample? Where is the scource edl api?

DylanWangWQF avatar Jun 25 '21 00:06 DylanWangWQF

@DylanWangWQF See here for more info on oe_load_module_host_file_system -- https://github.com/openenclave/openenclave/blob/master/docs/UsingTheIOSubsystem.md This function is provided by the OpenEnclave SDK and is needed for loading the requisite IO modules

podcastinator avatar Jun 25 '21 03:06 podcastinator

Got it! Thank you! @podcastinator here should be stack pages https://github.com/mc2-project/secure-xgboost/blob/96eb1a9a985135566b720da220a1fb20ef978ee4/CMakeLists.txt#L30

DylanWangWQF avatar Jun 25 '21 07:06 DylanWangWQF

@chester-leung I found the heap page is around 390MB in the setting. https://github.com/mc2-project/secure-xgboost/blob/96eb1a9a985135566b720da220a1fb20ef978ee4/CMakeLists.txt#L27

This is much larger than what existing SGX1 hardware can provide. And in your paper, it's 112Mb enclave page cache. So is this available in the project for the large program?

BTW, I'm wondering how does the enclave process large datasets, e.g, much large than 128MB?

DylanWangWQF avatar Jun 30 '21 00:06 DylanWangWQF

I propose this question is because the enclave image is too big after compiling inside the enclave.

drwxrwxr-x 3 dylan dylan 4.0K Jun 30 11:24 CMakeFiles/
-rw-rw-r-- 1 dylan dylan 1.2K Jun 30 11:24 cmake_install.cmake
-rwxrwxr-x 1 dylan dylan  66M Jun 30 11:24 enclave*
-rw-rw-r-- 1 dylan dylan  66M Jun 30 11:24 enclave.signed
-rw-rw-r-- 1 dylan dylan 3.3K Jun 30 11:24 heenclave_args.h
-rw-rw-r-- 1 dylan dylan 332K Jun 30 11:24 heenclave_t.c
-rw-rw-r-- 1 dylan dylan  13K Jun 30 11:24 heenclave_t.h
-rw-rw-r-- 1 dylan dylan 7.3K Jun 30 11:24 Makefile

DylanWangWQF avatar Jun 30 '21 00:06 DylanWangWQF

@DylanWangWQF the 112MB limit only applies to the physical memory (i.e., the portion of the RAM dedicated to the EPC). This does not restrict the amount of virtual memory available to the enclave application, and the selected heap size determines the amount of virtual memory that the app has its disposal.

podcastinator avatar Jun 30 '21 01:06 podcastinator