Hi! As Gernot mentioned, enclaves run in ring 3. There's currently no possibility to implement something like kernel enclaves with SGX. To be slightly off-topic: Instead of trying to run seL4 inside SGX, one can think the other way round and use seL4 to augment SGX enclaves with trusted platform services (e.g. http://arxiv.org/abs/1701.01061). Best, Sammey On 2018-02-27 10:47, Corey Richardson wrote:
This is email is me being kinda lazy. Does anyone know how challenging this would actually be to pull off? I'm interested in looking into it, but can't for a while.
I feel like it makes sense to bootload some little stub that sets up seL4 as the only enclave in the system. I don't see any reason to have multiple enclaves when using seL4. But, from this, it should be possible to get a good static root of trust remote attestation on Google Cloud.
(And also, can finally implement https://www.blackhat.com/docs/us-17/thursday/us-17-Swami-SGX-Remote-Attestat...)