Summary
Use outside calls (ocalls) from within an enclave to access untrusted functions.
Description
Unable to make system calls or I/O operations, such as manipulating files, from within an enclave.
Resolution
In the Intel® Software Guard Extensions (Intel® SGX) security model, the operating system is considered untrusted. Therefore, enclaves cannot use operating system capabilities directly.
To access resources provided in the untrusted domain, such as unprotected files, the enclave must make an ocall into the untrusted application that loaded the enclave.
Additional information
Refer to section, Calling Functions outside the Enclave, in the Intel® SGX Developer Reference Guide for your OS .
- The latest SGX Developer Reference for Linux* is in Intel® SGX Linux Latest Docs
- The Intel SGX Developer Reference for Windows is distributed with the SGX SDK for Windows installation package.
Enclaves can read and write protected files directly using the Intel® Protected File System.