How to access an untrusted library from within an Intel® Software Guard Extensions (Intel® SGX) enclave
- Attempted to link an enclave with a static library that is not on the list of trusted libraries.
- Enclave signing step fails with error: The enclave contains an import table.
Attempting to link an enclave to a dynamic library or an untrusted library will fail the signing process.
Link the enclave to trusted, static libraries listed in the Trusted Libraries section in the Intel® Software Guard Extensions (Intel® SGX) Developer Reference Guide for Windows* or Linux*.
Instead of calling the untrusted library directly from the enclave, develop interface functions in your untrusted application that access the untrusted library.
Then create OCALLs to the untrusted interface functions. The enclave indirectly accesses the library via OCALLs to the interface functions in the untrusted application.
Refer to Intel® Software Guard Extensions SDK Developer Reference for Windows* OS for more information on linking enclaves with libraries.
In the Linking Enclave with Libraries section:
"An enclave DLL must not depend on any dynamically linked library in any way...The enclave image signing process will fail if the enclave file has any unresolved dependencies. It means that an enclave must have an empty IAT (Import Address Table)."
In the Trusted Libraries section:
"Do not link the enclave with any untrusted library including C/C++ standard libraries. This action will either fail the enclave signing process or cause a runtime failure due to the use of restricted instructions."