4.2. Tutorial 2: Hello, World! (without libc)

This tutorial covers building a simple “hello world” eapp that uses registered function calls between the enclave and the untrusted host to pass text strings. We refer to this style of design as a ‘native’ Keystone enclave application in contrast to hosting a standard RISC-V binary as the eapp. You can see this other style in the previous tutorial.

Before jumping into the tutorial, please complete Quick Start.

In this tutorial you will compile the Eyrie runtime with specific plugin support, build a host application, and build and modify an enclave application (eapp).

4.2.1. Prerequisites

You must have a completed build of the sdk, qemu, and other components outlined in Quick Start.

Set PATH to include RISC-V tools and KEYSTONE_SDK_DIR to point the absolute path to sdk directory.

export PATH=$PATH:<path to RISC-V tools>
export KEYSTONE_SDK_DIR=<path to SDK>

4.2.2. First Build

All code and build tools for this tutorial are found in sdk/examples/hello-native.

We will be using our standard example build script, vault.sh for this tutorial build to emit a self-extracting archive with all binaries needed for the enclave to run.

You can read more about this tool in vault.sh.

For now, you don’t need to modify vault.sh at all. Just run ./vault.sh, and it should build hello-native.ke and put a copy in the buildroot overlay.

Now, running make image at the top-level of the Keystone project will rebuild the qemu image to include our hello-native packaged binary.

Once booted, insert the kernel module and run ./hello-native.ke, it should exit with success, but print nothing.

4.2.3. Internals

The enclave package consists of three parts:
  • a host application
  • a runtime binary (Eyrie)
  • an eapp

In this case, the host code is in sdk/examples/hello-native/host/, the runtime is our modular Eyrie runtime (in sdk/rts/eyrie/ if you followed the previous guides), and the eapp is in sdk/examples/hello-native/eapp/.

The host contains untrusted code that will ask for an enclave to be provisioned, use the SDK to load the runtime and eapp into the enclave space, and communicate with the enclave after it has started.

The runtime is described in detail in the Eyrie documentation.

The eapp currently contains wrapper code for communicating to the host, and currently prints “Hello World”.

4.2.4. Printing from the eapp

Open sdk/examples/hello-native/eapp/eapp_native.c in your editor.

In main there is a call to an ocall wrapper function, ocall_print_string. This in ocall_print_string you can see the ocall itself, which is a special type of syscall to the Eyrie runtime. This syscall will package and pass the arguments back to the host application, who has a registered handler for OCALL_PRINT_STRING.

Open sdk/examples/hello-native/host/host_native.cpp in your editor.

In main we have standard enclave creation and intialization, as well as registration of an ocall handler, register_call(OCALL_PRINT_STRING, print_string_wrapper); This function (print_string_wrapper) is the host-side argument parsing and de-serialization portion of the ocall. Once it has validated and extracted the arguments to the function, it calls print_string which finally prints the string from the eapp.

For more details on the ocall interface and passing data between the eapp and host, see edge calls.

4.2.5. Modifying the eapp print

To update the printed message, update the message in eapp_native.c, re-run the vault.sh to rebuild the packaged enclave, then rebuild the top-level qemu image in keystone/ with make image. If you restart qemu, you’ll now have the updated hello_native.ke pacakged enclave application.

4.2.6. Deploying Enclave

Boot the machine with QEMU.


Insert the Keystone driver

# [inside QEMU]
insmod keystone-driver.ko

Deploy the enclave

# [inside QEMU]

You’ll see the enclave running!

Verifying archive integrity... All good.
Uncompressing Keystone vault archive  100%
Hello, world!