How to transmit variables between SGX and untrusted environments

[ziqi-zhang]

Hi,

I want to implement a pytorch program that needs to transmit tensors between SGX and the untrusted environment. I have read the pytorch tutorial but it doesn't mention such techniques. The tutorial mainly displays how to run a script inside the SGX. I was wondering are there any documents about how to implement/use such features?

Best wishes,

[dimakuv]

transmit tensors between SGX and the untrusted environment

Please expand on this. What do you mean by "transmit"? In which direction? In which format? Can you use regular files for this transmission (that's the typical way of sharing something between the untrusted host and the SGX enclave)?

[ziqi-zhang]

Thanks for your quick apply! I want to perform some tensor computation inside the SGX and other computations in the untrusted environment. This requires to transmit variables in and out the SGX in both directions.

The format is pytorch tensor. Regular files are viable options but I'm afraid the file operation is slow. Is it possible to use some shared memory between SGX and the untrusted environment?

This repo implements a similar feature using TensorFlow. However, because I'm not very familiar with SGX, currently I don't know how it implements this feature.

[dimakuv]

I want to perform some tensor computation inside the SGX and other computations in the untrusted environment.

Gramine is a generic SGX runtime, and it doesn't allow for splitting the process in trusted and untrusted parts. The whole process must be shifted inside Gramine (and thus to inside the SGX enclave). So I'm afraid that without significant refactoring of your original PyTorch program, you won't be able to achieve your goal.

Is it possible to use some shared memory between SGX and the untrusted environment?

No, Gramine doesn't support this. Maybe in the future we'll add such support, but currently there is none.

This repo implements a similar feature using TensorFlow.

The Slalom (https://github.com/ftramer/slalom) work is definitely interesting, but Gramine has different purposes, design, and implementation. Thus, Gramine cannot do similar things as Slalom.

The only thing you can try to do with Gramine is something like this:

• Split your original PyTorch application such that it runs two processes
• One process will do the tensor computations inside the SGX enclave
• Another process will do other computations in the untrusted environment
• Make these two processes communicate with each other using regular files or for example TCP/IP sockets; make sure to use proper encryption schemes on these files/sockets to protect data transmitted between the trusted and the untrusted processes

Now you can shift the first process in the SGX enclave using Gramine. And the second process just runs outside.

[ziqi-zhang]

Thanks!