How Do I Use Operating System Capabilities, Such as Reading and Writing a File, from within an Enclave?

Unable to make system calls or I/O operations, such as manipulating files, from within an enclave.

In the Intel® Software Guard Extensions (Intel® SGX) security model, the operating system is considered untrusted. Therefore, enclaves cannot use operating system capabilities directly.

To access resources provided in the untrusted domain, such as unprotected files, the enclave must make an ocall into the untrusted application that loaded the enclave.

Refer to section, Calling Functions outside the Enclave, in the Intel® SGX Developer Reference Guide for your OS .

• The latest SGX Developer Reference for Linux* is in Intel® SGX Linux Latest Docs
• The Intel SGX Developer Reference for Windows is distributed with the SGX SDK for Windows installation package.

Enclaves can read and write protected files directly using the Intel® Protected File System.