Open jonhoo opened 8 years ago
jonhoo
commented
8 years ago It is also quite confusing that the Makefile includes PolarSSL when compiling demo/hello.c, but OpenSSL when compiling test/openssl (which doesn't even exist?). Which should a new OpenSGX application use? The PolarSSL version that is included seems to be quite old, and has a bunch of stuff stripped out (like TLS support).
inasmkim
commented
8 years ago When implementing the first version of OpenSGX, we use PolarSSL because it is light ssl library to reduce the TCB (size of the enclave). For calculating enclavehash or MAC of einittoken (egetkey instruction or ereport instruction), we use polarssl library functions. The reason why we add openssl support is to demonstrate the modified SGX-enabled Tor, which is a showcasing application of OpenSGX paper.
Thanks, Seongmin
2016-01-12 5:09 GMT+09:00 Jon Gjengset notifications@github.com:
It is also quite confusing that the Makefile https://github.com/sslab-gatech/opensgx/blob/master/user/Makefile includes PolarSSL when compiling demo/hello.c, but OpenSSL when compiling test/openssl (which doesn't even exist?). Which should a new OpenSGX application use? The PolarSSL version that is included seems to be quite old, and has a bunch of stuff stripped out (like TLS support).
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170674686 .
jonhoo
commented
8 years ago I realize that on the path to where you are now, introducing these along the way may have been reasonable, but now that you are stabilizing the API (e.g., by publishing the OpenSGX Tutorial v1), you should consider converging on just one. Having this, this, this, and this seems unnecessary, and becomes very confusing as a user of OpenSGX.
dongsuh
commented
8 years ago Dear Jon,
Thank you for bringing attention to this issue. We agree that it needs some clean up. The plan is to use a modern version of mbedtls inside OpenSGX and allow applications to use openSSL (and perhaps mbedtls) inside the enclave.
-Dongsu
Dongsu Han Assistant Professor, Department of Electrical Engineering Korea Advanced Institute of Science and Technology 291 Daehak-ro, Yuseong-gu, Daejeon 305-701, Korea Office: Room 814, IT Convergence Building (N1) Tel: +82-42-350-7431 Email: dongsu_han@kaist.ac.kr
On Tue, Jan 12, 2016 at 11:42 AM, Jon Gjengset notifications@github.com wrote:
I realize that on the path to where you are now, introducing these along the way may have been reasonable, but now that you are stabilizing the API (e.g., by publishing the OpenSGX Tutorial v1), you should consider converging on just one. Having this https://github.com/sslab-gatech/opensgx/tree/master/user/polarssl, this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/mbedtls, this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/openssl, and this https://github.com/sslab-gatech/opensgx/tree/master/libsgx/polarssl seems unnecessary, and becomes very confusing as a user of OpenSGX.
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170765354 .
jonhoo
commented
8 years ago Any particular reason why you wouldn't just use either mbedtls or OpenSSL for everything?
johnmwshih
commented
8 years ago OpenSSL is used by sgx-tor project. Actually we take OpenSSL more like an example to demonstrate one can easily develop enclave program using third-party library.
jonhoo
commented
8 years ago Ah, I see. I think one thing that might be useful is to document which of the things in the Makefile are necessary for any OpenSGX application to work, and which are things the application developer may choose to link in as third-party libraries. For example, if I choose to use OpenSSL, do I still link in mbedtls/PolarSSL?
johnmwshih
commented
8 years ago Thanks for your suggestion, I definitely agree that we need to document this.
inasmkim
commented
8 years ago Yes. If you want to use openssl as a 3rd party library for your enclave program, you should require mbedtls to compile opensgx for the crypto operations.
2016년 1월 13일 수요일, John (Ming-Wei) Shihnotifications@github.com님이 작성한 메시지:
Thanks for your suggestion, I definitely agree that we need to document this.
— Reply to this email directly or view it on GitHub https://github.com/sslab-gatech/opensgx/issues/26#issuecomment-170973750 .
opensgx currently uses both openssl, polarssl, and mbedtls -- is there a particular reason why you don't use a single library for all crypto operations?