This topic describes how to use the Intel SGX SDK to develop, build, and deploy an application named hello_world. This application generates messages in an enclave on a regular basis, sends messages to an untrusted buffer, and then sends the messages to terminals.
Prerequisites
- A managed Kubernetes cluster for confidential computing is created. For more information, see Create a managed Kubernetes cluster that supports confidential computing.
- The following environments are available for developing and compiling the application:
- Aliyun Linux 2, CentOS, or RHEL7+
- Intel SGX Driver
- Intel SGX SDK
- Intel SGX PSW
- AESM service
How SGX works

- An SGX application consists of two components:
- Untrusted component
The untrusted component is an unencrypted part of the memory. If you store the code and data of an application in this part, the
main()
function of the application must also be placed in the untrusted component. In the preceding figure, themain()
andbar()
functions are placed in the untrusted component. - Trusted component or enclave
The trusted component or enclave is an encrypted part of the memory. This component is created by the CPU and cannot be accessed by the rest of the system. In the preceding figure, the
helloworld()
andfoo()
functions are placed in the enclave.
- Untrusted component
- To invoke a function in the enclave from the untrusted component, the application must perform an Enclave Call (ECALL).
- To invoke a function in the untrusted component from the enclave, the application must perform an Outside Call (OCALL).
- ECALLs and OCALLs are declared in the Enclave Definition Language (EDL) file.
Example
In this example, an SGX application named hello_world is deployed. For more information about the source code, see GitHub. The source code includes the code for application compilation, image building, and application deployment.
sgx-device-plugin/samples/hello_world/
├── Dockerfile
├── Makefile
├── README.md
└── src
├── App
│ ├── App.cpp
│ └── App.h
├── Enclave
│ ├── Enclave.config.xml
│ ├── Enclave.cpp
│ ├── Enclave.edl
│ ├── Enclave.h
│ ├── Enclave.lds
│ └── Enclave_private.pem
├── Include
└── Makefile
src
and related files.
- The App directory contains untrusted code, such as the main() entry and code of the OCALL function.
- The Enclave directory contains trusted code, such as the code of the ECALL function.
File Description Enclave.edl The EDL file. Enclave.lds The enclave linker script. Enclave_private.pem The private key that is used to sign the enclave.so file. Enclave.config.xml The enclave configuration file that specifies parameters such as the stack size and whether to enable debugging. Enclave.h and Enclave.cpp The code that implements the untrusted component. - The Include directory contains a header file that is shared by untrusted code and trusted code.
File path | Description | Sample code |
---|---|---|
Encalve/Enclave.edl | The EDL file that declares a public ECALL function. At least one of the following
functions must be declared in the EDL file of an SGX application:
In this example, the application does not need to invoke an OCALL function. Therefore,
only one ECALL function ( |
|
Enclave/Enclave.lds | - |
|
Enclave/Enclave.config.xml | - |
|
Enclave/Enclave.h | This header file is empty in most cases. |
|
Enclave/Enclave.cpp | - |
|
Enclave/Enclave_private.pem | The private key that is used to sign the enclave.so file. |
|
App/App.h | - |
|
App/App.cpp | - |
|