Intel® Protected File System Library
- A new feature called Intel Protection File System Library is introduced in the Intel SGX 1.7 Release. This Library is used to create, operate and delete files inside the enclave. To make use of the Intel Protected File system Library we need the following requirements:
- Visual Studio 2015,
- Intel SGX SDK version 1.7
- Intel SGX PSW version 1.7
- The above requirements are essential for implementing Intel SGX Protected File System. In this document we will discuss regarding the architecture, API’s, Implementation and Limitations of Intel Protected File System Library.
Overview of Intel® Protected File System Library:
- Intel® Protected File System Library provides protected files API for Intel® SGX enclaves. It supports a basic subset of the regular C file API and enables you to create files and work with them as you would normally do from a regular application.
- We have 15 file operation functions API’s provided by Intel SGX. These API work almost the same as the regular C file API.
- With this API, the files are encrypted and saved on the untrusted disk during a write operation, and they are verified for confidentiality and integrity during a read operation.
- To encrypt a file, you should provide a file encryption key. This key is a 128 bits key, and is used as a key derivation key, to generate multiple encryption keys.
- The key derivation key used as an input to one of the key derivation functions is called a key derivation key, can be generated by an approved cryptographic random bit generator, or by an approved automated key establishment process. Another option is to use automatic keys derived from the enclave sealing key.
- This way we can keep our files secure and safe inside the Enclave. Since our files are encrypted and stored they are safe and secure inside the enclave.
Intel Protected File System API:
The Intel Protected File System Library provides the following functionalities.
- sgx_fopen
- sgx_fopen_auto_key
- sgx_fclose
- sgx_fread
- sgx_fwrite
- sgx_fflush
- sgx_ftell
- sgx_fseek
- sgx_feof
- sgx_ferror
- sgx_clearerr
- sgx_remove
- sgx_fexport_auto_key
- sgx_fimport_auto_key
- sgx_fclear_cache
The above mentioned API’s are present in the SGX Protected FS trusted library. And these can be called only within the trusted enclave code which makes our files secure.
Limitation of Protected File System
- Protected Files have meta-data embedded in them, only one file handle can be opened for writing at a time, or many file handles for reading.
- Operating System protection mechanism is used for protecting against accidentally opening more than one ‘write’ file handle. If this protection is bypassed, the file will get corrupted.
- An open file handle can be used by many threads inside the same enclave, the APIs include internal locks for handling this and the operations will be executed by one.
Please find the detailed information in the PDF and also i have shared sample code for Intel Protected File System Library using SGX.