opensgx
opensgx copied to clipboard
sslab-gatech
Settle on a single SSL library
opensgx currently uses both openssl, polarssl, and mbedtls -- is there a particular reason why you don't use a single library for all crypto operations?
It is also quite confusing that the Makefile includes PolarSSL when compiling demo/hello.c, but OpenSSL when compiling test/openssl (which doesn't even exist?). Which should a new OpenSGX application use? The PolarSSL version that is included seems to be quite old, and has a bunch of stuff stripped out (like TLS support).
When implementing the first version of OpenSGX, we use PolarSSL because it is light ssl library to reduce the TCB (size of the enclave). For calculating enclavehash or MAC of einittoken (egetkey instruction or ereport instruction), we use polarssl library functions. The reason why we add openssl support is to demonstrate the modified SGX-enabled Tor, which is a showcasing application of OpenSGX paper.
Thanks, Seongmin
2016-01-12 5:09 GMT+09:00 Jon Gjengset [email protected]:
It is also quite confusing that the Makefile https://github.com/sslab-gatech/opensgx/blob/master/user/Makefile includes PolarSSL when compiling demo/hello.c, but OpenSSL when compiling test/openssl (which doesn't even exist?). Which should a new OpenSGX application use? The PolarSSL version that is included seems to be quite old, and has a bunch of stuff stripped out (like TLS support).
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170674686 .
I realize that on the path to where you are now, introducing these along the way may have been reasonable, but now that you are stabilizing the API (e.g., by publishing the OpenSGX Tutorial v1), you should consider converging on just one. Having this, this, this, and this seems unnecessary, and becomes very confusing as a user of OpenSGX.
Dear Jon,
Thank you for bringing attention to this issue. We agree that it needs some clean up. The plan is to use a modern version of mbedtls inside OpenSGX and allow applications to use openSSL (and perhaps mbedtls) inside the enclave.
-Dongsu
Dongsu Han Assistant Professor, Department of Electrical Engineering Korea Advanced Institute of Science and Technology 291 Daehak-ro, Yuseong-gu, Daejeon 305-701, Korea Office: Room 814, IT Convergence Building (N1) Tel: +82-42-350-7431 Email: [email protected]
On Tue, Jan 12, 2016 at 11:42 AM, Jon Gjengset [email protected] wrote:
I realize that on the path to where you are now, introducing these along the way may have been reasonable, but now that you are stabilizing the API (e.g., by publishing the OpenSGX Tutorial v1), you should consider converging on just one. Having this https://github.com/sslab-gatech/opensgx/tree/master/user/polarssl, this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/mbedtls, this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/openssl, and this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/polarssl seems unnecessary, and becomes very confusing as a user of OpenSGX.
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170765354 .
Any particular reason why you wouldn't just use either mbedtls or OpenSSL for everything?
OpenSSL is used by sgx-tor project. Actually we take OpenSSL more like an example to demonstrate one can easily develop enclave program using third-party library.
Ah, I see. I think one thing that might be useful is to document which of the things in the Makefile are necessary for any OpenSGX application to work, and which are things the application developer may choose to link in as third-party libraries. For example, if I choose to use OpenSSL, do I still link in mbedtls/PolarSSL?
Thanks for your suggestion, I definitely agree that we need to document this.
Yes. If you want to use openssl as a 3rd party library for your enclave program, you should require mbedtls to compile opensgx for the crypto operations.
2016년 1월 13일 수요일, John (Ming-Wei) [email protected]님이 작성한 메시지:
Thanks for your suggestion, I definitely agree that we need to document this.
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170973750 .