stub_enclave: Support Pal Api V3 in stub_enclave.

1. Support Pal Api V3 in stub_enclave. 2. Achieve stub_enclave based on sgxsdk. Signed-off-by: N Yilin Li <YiLin.Li@linux.alibaba.com> Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>

stub_enclave: Support Pal Api V3 in stub_enclave.
1. Support Pal Api V3 in stub_enclave. 2. Achieve stub_enclave based on sgxsdk. Signed-off-by: N Yilin Li <YiLin.Li@linux.alibaba.com> Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
f69987ee · YiLin.Li · jia zhang · 5473b855 · f69987ee · f69987ee
16 changed file
--- a/Makefile
+++ b/Makefile
 .PHONY: all install clean uninstall package

 export INCLAVARE_CONTAINERS_VERSION := $(shell cat ./VERSION)
-components := rune shim sgx-tools
+components := rune shim sgx-tools stub_enclave
 dist_release_components := rune shim

 all:

--- a/README.md
+++ b/README.md
@@ -59,6 +59,9 @@ Skeleton is an example of enclave runtime, interfacing with Enclave Runtime PAL

 Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) to run skeleton with `rune`.

+### stub_enclave
+Inspired by [sgx-ra-tls](https://github.com/cloud-security-research/sgx-ra-tls), stub_enclave extends the standard X.509 certificate with SGX-related information and integrates Intel SGX remote attestation into the TLS connection.Moreover, stub_enclave is a enclave runtime based on [sgxsdk](https://github.com/intel/linux-sgx) and stub_enclave support PAL API V3 so that you can run rune with stub_enclave according to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/stub_enclave/README.md).
+
 For more information about Enclave Runtime PAL API, please refer to [Enclave Runtime PAL API Specification](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec_v2.md).

 ### Run OCI bundle

--- a/stub_enclave/Makefile
+++ b/stub_enclave/Makefile
+BINDIR := $(PREFIX)/usr/lib
+
+all: stub_enclave
+
+stub_enclave: ra_tls_options.c deps/local/lib/libwolfssl.sgx.static.lib.a deps/local/lib/libcurl-wolfssl.a libsgx_ra_tls_wolfssl.a
+	$(MAKE) -ef sgx_u.mk all
+	$(MAKE) -ef sgx_t.mk all
+
+ra_tls_options.c: ra_tls_options.c.sh
+	bash $^ > $@
+
+deps/local/lib/libcrypto.a: deps/openssl/config
+	cd deps/openssl && $(MAKE) && $(MAKE) -j1 install
+
+deps/wolfssl/configure:
+	mkdir -p deps && cd deps && git clone https://github.com/wolfSSL/wolfssl
+	cd deps/wolfssl && git checkout 57e5648a5dd734d1c219d385705498ad12941dd0
+	cd deps/wolfssl && patch -p1 < ../../wolfssl.patch
+	cd deps/wolfssl && ./autogen.sh
+
+# Add --enable-debug to ./configure for debug build
+# WOLFSSL_ALWAYS_VERIFY_CB ... Always call certificate verification callback, even if verification succeeds
+# KEEP_OUR_CERT ... Keep the certificate around after the handshake
+# --enable-tlsv10 ... required by libcurl
+# 2019-03-19 removed --enable-intelasm configure flag. The Celeron NUC I am developing this, does not support AVX.
+
+WOLFSSL_CFLAGS+=-DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_ALWAYS_VERIFY_CB -DKEEP_PEER_CERT
+WOLFSSL_CONFIGURE_FLAGS+=--prefix=$(shell readlink -f deps/local) --enable-writedup --enable-static --enable-keygen --enable-certgen --enable-certext --with-pic --disable-examples --disable-crypttests --enable-aesni --enable-tlsv10
+ifdef DEBUG
+WOLFSS_CFLAGS+=--enable-debug
+endif
+
+deps/local/lib/libwolfssl.a: CFLAGS+= $(WOLFSSL_CFLAGS)
+deps/local/lib/libwolfssl.a: deps/wolfssl/configure
+# Later versions of gcc report errors on this version of wolfSSL.
+# TODO: Upgrade to more recent version of wolfSSL.
+	cd deps/wolfssl && CC=gcc CFLAGS="$(CFLAGS)" ./configure $(WOLFSSL_CONFIGURE_FLAGS)
+	cd deps/wolfssl && $(MAKE) install
+
+# Ideally, deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a and
+# deps/local/lib/libwolfssl.a could be built in parallel. Does not
+# work however. Hence, the dependency forces a serial build.
+#
+# -DFP_MAX_BITS=8192 required for RSA keys > 2048 bits to work
+deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a: deps/local/lib/libwolfssl.a
+	cd deps/wolfssl/IDE/LINUX-SGX && make -f sgx_t_static.mk CFLAGS="-DUSER_TIME -DWOLFSSL_SGX_ATTESTATION -DWOLFSSL_KEY_GEN -DWOLFSSL_CERT_GEN -DWOLFSSL_CERT_EXT -DFP_MAX_BITS=8192"
+
+deps/local/lib/libwolfssl.sgx.static.lib.a: deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib/libwolfssl.a
+	mkdir -p deps/local/lib && cp deps/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a deps/local/lib
+
+deps/curl/configure:
+	cd deps && git clone https://github.com/curl/curl.git
+	cd deps/curl && git checkout curl-7_47_0
+	cd deps/curl && ./buildconf
+
+CURL_CONFFLAGS=--prefix=$(shell readlink -f deps/local) --without-libidn --without-librtmp --without-libssh2 --without-libmetalink --without-libpsl --disable-ldap --disable-ldaps --disable-shared
+ifdef DEBUG
+CURL_CONFFLAGS+=--enable-debug
+endif
+
+deps/local/lib/libcurl-wolfssl.a: deps/curl/configure deps/local/lib/libwolfssl.a
+	cp -a deps/curl deps/curl-wolfssl
+	cd deps/curl-wolfssl && CFLAGS="-fPIC" ./configure $(CURL_CONFFLAGS) --without-ssl --with-cyassl=$(shell readlink -f deps/local)
+	cd deps/curl-wolfssl && $(MAKE)
+	cp deps/curl-wolfssl/lib/.libs/libcurl.a deps/local/lib/libcurl-wolfssl.a
+
+libsgx_ra_tls_wolfssl.a:
+	make -f ratls-wolfssl.mk
+	rm -f wolfssl-ra-challenger.o wolfssl-ra.o ra-challenger.o ias_sign_ca_cert.o
+
+install:
+	install -D -m0755 liberpal-sgxsdk.so $(BINDIR)/liberpal-sgxsdk.so
+
+uninstall:
+	rm -f $(BINDIR)/liberpal-sgxsdk.so
+
+clean:
+	rm -f ra_tls_options.c ra_tls_u.o
+	rm -rf deps/curl-wolfssl deps/local 
+	$(MAKE) -ef sgx_u.mk clean
+	$(MAKE) -ef sgx_t.mk clean
+	$(MAKE) -ef ratls-wolfssl.mk clean
+
+.PHONY: stub_enclave clean install uninstall
--- a/stub_enclave/README.md
+++ b/stub_enclave/README.md
+# Build Stub Enclave
+``` shell
+cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/stub_enclave"
+make
+sudo make install
+```
+
+# Build Docker images
+## Prepare the materials
+``` shell
+mkdir lib
+cp /usr/lib/x86_64-linux-gnu/libsgx_urts.so lib
+cp /usr/lib/x86_64-linux-gnu/libsgx_uae_service.so lib
+cp /usr/lib/x86_64-linux-gnu/libsgx_enclave_common.so.1 lib
+cp /usr/lib/x86_64-linux-gnu/libprotobuf.so.10 lib
+cp /lib/x86_64-linux-gnu/libseccomp.so.2 lib
+```
+
+## Dockerfile
+``` shell
+FROM ubuntu:18.04
+  
+RUN mkdir -p /run/rune/sgxsdk
+WORKDIR /run/rune
+
+COPY lib                        /lib
+COPY liberpal-sgxsdk.so         .
+COPY Wolfssl_Enclave.signed.so  sgxsdk
+
+RUN ldconfig
+```
+
+``` shell
+docker build -t ${stub-enclave-image} .
+```
+
+# run stub-enclave images with rune
+``` shell
+sudo docker run -it --rm --runtime=rune -e ENCLAVE_TYPE=intelSgx \
+		-e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-sgxsdk.so \
+		-e ENCLAVE_RUNTIME_ARGS=sgxsdk ${stub-enclave-image}
+```
--- a/stub_enclave/pal.lds
+++ b/stub_enclave/pal.lds
+{
+	global:
+		pal_get_version;
+		pal_init;
+		pal_create_process;
+		pal_exec;
+		pal_destroy;
+		pal_get_local_report;
+	local:
+		*;
+};
--- a/stub_enclave/sgx_t.mk
+++ b/stub_enclave/sgx_t.mk
+######## Intel(R) SGX SDK Settings ########
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= HW
+SGX_DEBUG ?= 1
+SGX_ARCH ?= x64
+SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
+WOLFSSL_ROOT ?= ./deps/wolfssl
+SGX_RA_TLS_LIB ?= $(shell readlink -f .)
+
+ifeq ($(shell getconf LONG_BIT), 32)
+	SGX_ARCH := x86
+else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
+	SGX_ARCH := x86
+endif
+
+ifeq ($(SGX_ARCH), x86)
+	SGX_COMMON_CFLAGS := -m32
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+else
+	SGX_COMMON_CFLAGS := -m64
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+ifeq ($(SGX_PRERELEASE), 1)
+$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
+endif
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+        SGX_COMMON_CFLAGS += -O0 -g -DSGX_DEBUG
+else
+        SGX_COMMON_CFLAGS += -O2
+endif
+
+ifneq ($(SGX_MODE), HW)
+	Trts_Library_Name := sgx_trts_sim
+	Service_Library_Name := sgx_tservice_sim
+else
+	Trts_Library_Name := sgx_trts
+	Service_Library_Name := sgx_tservice
+endif
+
+Crypto_Library_Name := sgx_tcrypto
+
+SGX_RA_TLS_ROOT=$(shell readlink -f .)
+
+Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/
+
+
+Wolfssl_Enclave_C_Files := trusted/Wolfssl_Enclave.c
+Wolfssl_Enclave_Include_Paths := -IInclude -Itrusted $(Wolfssl_Include_Paths)\
+								   -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc\
+								   -I$(SGX_SDK)/include/stlport \
+									 -I$(SGX_RA_TLS_ROOT)
+
+ifeq ($(HAVE_WOLFSSL_TEST), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
+endif
+
+ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
+endif
+
+
+Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
+Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Wolfssl_Enclave_Include_Paths) -fno-builtin -fno-builtin-printf -I.
+Wolfssl_Enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags) $(Wolfssl_C_Extra_Flags)
+
+Wolfssl_Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
+  -L$(SGX_RA_TLS_LIB) -lsgx_ra_tls_wolfssl \
+	-L$(SGX_WOLFSSL_LIB) -lwolfssl.sgx.static.lib \
+	-Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
+	-Wl,--start-group -lsgx_tstdc -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
+	-Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
+	-Wl,-pie,-eenclave_entry -Wl,--export-dynamic  \
+	-Wl,--defsym,__ImageBase=0 \
+	-Wl,--version-script=trusted/Wolfssl_Enclave.lds
+
+Wolfssl_Enclave_C_Objects := $(Wolfssl_Enclave_C_Files:.c=.o)
+
+
+
+
+ifeq ($(SGX_MODE), HW)
+ifneq ($(SGX_DEBUG), 1)
+ifneq ($(SGX_PRERELEASE), 1)
+Build_Mode = HW_RELEASE
+endif
+endif
+endif
+
+
+.PHONY: all run
+
+ifeq ($(Build_Mode), HW_RELEASE)
+all: Wolfssl_Enclave.so
+	@echo "Build enclave Wolfssl_Enclave.so [$(Build_Mode)|$(SGX_ARCH)] success!"
+	@echo
+	@echo "*********************************************************************************************************************************************************"
+	@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
+	@echo "*********************************************************************************************************************************************************"
+	@echo
+else
+all: Wolfssl_Enclave.signed.so
+endif
+
+run: all
+ifneq ($(Build_Mode), HW_RELEASE)
+	@$(CURDIR)/app
+	@echo "RUN  =>  app [$(SGX_MODE)|$(SGX_ARCH), OK]"
+endif
+
+
+######## Wolfssl_Enclave Objects ########
+
+trusted/Wolfssl_Enclave_t.c: $(SGX_EDGER8R) ./trusted/Wolfssl_Enclave.edl
+	@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
+	@echo "GEN  =>  $@"
+
+trusted/Wolfssl_Enclave_t.o: ./trusted/Wolfssl_Enclave_t.c
+	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@echo "CC   <=  $<"
+
+trusted/%.o: trusted/%.c
+	@echo $(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@$(CC) $(Wolfssl_Enclave_C_Flags) -c $< -o $@
+	@echo "CC  <=  $<"
+
+Wolfssl_Enclave.so: trusted/Wolfssl_Enclave_t.o $(Wolfssl_Enclave_C_Objects)
+	@echo $(Wolfssl_Enclave_Link_Flags)@
+	@$(CXX) $^ -o $@ $(Wolfssl_Enclave_Link_Flags)
+	@echo "LINK =>  $@"
+
+Wolfssl_Enclave.signed.so: Wolfssl_Enclave.so
+	@$(SGX_ENCLAVE_SIGNER) sign -key trusted/Wolfssl_Enclave_private.pem -enclave Wolfssl_Enclave.so -out $@ -config trusted/Wolfssl_Enclave.config.xml
+	@echo "SIGN =>  $@"
+clean:
+	@rm -f Wolfssl_Enclave.* trusted/Wolfssl_Enclave_t.*  $(Wolfssl_Enclave_C_Objects)
--- a/stub_enclave/sgx_u.mk
+++ b/stub_enclave/sgx_u.mk
+######## Intel(R) SGX SDK Settings ########
+SGX_SDK ?= /opt/intel/sgxsdk
+SGX_MODE ?= HW
+SGX_ARCH ?= x64
+SGX_WOLFSSL_LIB ?= ./deps/wolfssl/IDE/LINUX-SGX
+WOLFSSL_ROOT ?= ./deps/wolfssl
+
+UNTRUSTED_DIR=untrusted
+ifeq ($(shell getconf LONG_BIT), 32)
+	SGX_ARCH := x86
+else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
+	SGX_ARCH := x86
+endif
+
+ifeq ($(SGX_ARCH), x86)
+	SGX_COMMON_CFLAGS := -m32
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
+else
+	SGX_COMMON_CFLAGS := -m64
+	SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
+	SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
+	SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+ifeq ($(SGX_PRERELEASE), 1)
+$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
+endif
+endif
+
+ifeq ($(SGX_DEBUG), 1)
+        SGX_COMMON_CFLAGS += -O0 -g -DSGX_DEBUG
+else
+        SGX_COMMON_CFLAGS += -O2
+endif
+
+SGX_RA_TLS_ROOT=$(shell readlink -f .)
+
+######## App Settings ########
+
+ifneq ($(SGX_MODE), HW)
+	Urts_Library_Name := sgx_urts_sim
+else
+	Urts_Library_Name := sgx_urts
+endif
+
+Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DUSE_WOLFSSL
+Wolfssl_Include_Paths := -I$(WOLFSSL_ROOT)/ \
+						 -I$(WOLFSSL_ROOT)/wolfcrypt/
+
+ifeq ($(HAVE_WOLFSSL_TEST), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/test/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_TEST
+endif
+
+ifeq ($(HAVE_WOLFSSL_BENCHMARK), 1)
+	Wolfssl_Include_Paths += -I$(WOLFSSL_ROOT)/wolfcrypt/benchmark/
+	Wolfssl_C_Extra_Flags += -DHAVE_WOLFSSL_BENCHMARK
+endif
+
+
+
+# App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/server-tls.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c $(UNTRUSTED_DIR)/ias-ra.c
+App_C_Files := $(UNTRUSTED_DIR)/App.c $(UNTRUSTED_DIR)/sgxsdk-ra-attester_u.c 
+App_Include_Paths := $(Wolfssl_Include_Paths) -I$(UNTRUSTED_DIR) -I$(SGX_SDK)/include -I$(SGX_RA_TLS_ROOT) -I./deps/local/include -I$(shell readlink -f .)
+
+App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -shared -Wno-attributes -Wall -Wno-unused-const-variable $(App_Include_Paths) $(Wolfssl_C_Extra_Flags)
+
+# Three configuration modes - Debug, prerelease, release
+#   Debug - Macro DEBUG enabled.
+#   Prerelease - Macro NDEBUG and EDEBUG enabled.
+#   Release - Macro NDEBUG enabled.
+ifeq ($(SGX_DEBUG), 1)
+        App_C_Flags += -DDEBUG -UNDEBUG -UEDEBUG
+else ifeq ($(SGX_PRERELEASE), 1)
+        App_C_Flags += -DNDEBUG -DEDEBUG -UDEBUG
+else
+        App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG
+endif
+
+App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -shared -L$(SGX_RA_TLS_ROOT)/deps/local/lib -l$(Urts_Library_Name) -lpthread $(SGX_RA_TLS_ROOT)/deps/local/lib/libcurl-wolfssl.a $(SGX_RA_TLS_ROOT)/deps/local/lib/libwolfssl.a -lz -lm
+App_Link_Flags += -Wl,--version-script=pal.lds
+
+ifneq ($(SGX_MODE), HW)
+	App_Link_Flags += -lsgx_uae_service_sim
+else
+	App_Link_Flags += -lsgx_uae_service
+endif
+
+App_C_Objects := $(App_C_Files:.c=.o)
+
+
+
+ifeq ($(SGX_MODE), HW)
+ifneq ($(SGX_DEBUG), 1)
+ifneq ($(SGX_PRERELEASE), 1)
+Build_Mode = HW_RELEASE
+endif
+endif
+endif
+
+
+.PHONY: all
+
+ifeq ($(Build_Mode), HW_RELEASE)
+all: liberpal-sgxsdk.so
+	@echo "Build liberpal-sgxsdk.so [$(Build_Mode)|$(SGX_ARCH)] success!"
+	@echo
+	@echo "*********************************************************************************************************************************************************"
+	@echo "PLEASE NOTE: In this mode, please sign the Wolfssl_Enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
+	@echo "*********************************************************************************************************************************************************"
+	@echo
+
+else
+all: liberpal-sgxsdk.so
+endif
+
+######## liberpal-sgxsdk.so Objects ########
+
+$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c: $(SGX_EDGER8R) trusted/Wolfssl_Enclave.edl
+	@cd $(UNTRUSTED_DIR) && $(SGX_EDGER8R) --untrusted ../trusted/Wolfssl_Enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include --search-path ..
+	@echo "GEN  =>  $@"
+
+$(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.c
+	@echo $(CC) $(App_C_Flags) -c $< -o $@
+	@$(CC) $(App_C_Flags) -c $< -o $@
+	@echo "CC   <=  $<"
+
+$(UNTRUSTED_DIR)/%.o: $(UNTRUSTED_DIR)/%.c
+	@echo $(CC) $(App_C_Flags) -c $< -o $@
+	@$(CC) $(App_C_Flags) -c $< -o $@
+	@echo "CC  <=  $<"
+
+liberpal-sgxsdk.so: $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.o $(App_C_Objects)
+	@$(CC) $^ -o $@ $(App_Link_Flags)
+	@echo "LINK =>  $@"
+
+
+.PHONY: clean
+
+clean:
+	@rm -f liberpal-sgxsdk.so $(App_C_Objects) $(UNTRUSTED_DIR)/Wolfssl_Enclave_u.* 
--- a/stub_enclave/trusted/Wolfssl_Enclave.c
+++ b/stub_enclave/trusted/Wolfssl_Enclave.c
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>	/* vsnprintf */
+
+#include "Wolfssl_Enclave_t.h"
+#include "sgx_trts.h"
+#include <wolfssl/wolfcrypt/rsa.h>
+
+int wc_test(void* args)
+{
+#ifdef HAVE_WOLFSSL_TEST
+	return wolfcrypt_test(args);
+#else
+	/* wolfSSL test not compiled in! */
+	return -1;
+#endif /* HAVE_WOLFSSL_TEST */
+}
+
+int wc_benchmark_test(void* args)
+{
+
+#ifdef HAVE_WOLFSSL_BENCHMARK
+	return benchmark_test(args);
+#else
+	/* wolfSSL benchmark not compiled in! */
+	return -1;
+#endif	/* HAVE_WOLFSSL_BENCHMARK */
+}
+
+void enc_wolfSSL_Debugging_ON(void)
+{
+	wolfSSL_Debugging_ON();
+}
+
+void enc_wolfSSL_Debugging_OFF(void)
+{
+	wolfSSL_Debugging_OFF();
+}
+
+int enc_wolfSSL_Init(void)
+{
+	return wolfSSL_Init();
+}
+
+WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void)
+{
+	return wolfTLSv1_2_client_method();
+}
+
+WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void)
+{
+	return wolfTLSv1_2_server_method();
+}
+
+
+WOLFSSL_CTX* enc_wolfSSL_CTX_new(WOLFSSL_METHOD* method)
+{
+	if(sgx_is_within_enclave(method, wolfSSL_METHOD_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_new(method);
+}
+
+int enc_wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
+	const unsigned char* buf, long sz, int type)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
+	const unsigned char* buf, long sz, int type)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_use_certificate_buffer(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
+								long sz, int type)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_use_PrivateKey_buffer(ctx, buf, sz, type);
+}
+
+int enc_wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
+								long sz, int format)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_load_verify_buffer(ctx, in, sz, format);
+}
+
+int enc_wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) {
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_CTX_set_cipher_list(ctx, list);
+}
+
+WOLFSSL* enc_wolfSSL_new( WOLFSSL_CTX* ctx)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_new(ctx);
+}
+
+int enc_wolfSSL_set_fd(WOLFSSL* ssl, int fd)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_set_fd(ssl, fd);
+}
+
+int enc_wolfSSL_connect(WOLFSSL* ssl)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_connect(ssl);
+}
+
+int enc_wolfSSL_write(WOLFSSL* ssl, const void* in, int sz)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_write(ssl, in, sz);
+}
+
+int enc_wolfSSL_get_error(WOLFSSL* ssl, int ret)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_get_error(ssl, ret);
+}
+
+int enc_wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	return wolfSSL_read(ssl, data, sz);
+}
+
+void enc_wolfSSL_free(WOLFSSL* ssl)
+{
+	if(sgx_is_within_enclave(ssl, wolfSSL_GetObjectSize()) != 1)
+		abort();
+	wolfSSL_free(ssl);
+}
+
+void enc_wolfSSL_CTX_free(WOLFSSL_CTX* ctx)
+{
+	if(sgx_is_within_enclave(ctx, wolfSSL_CTX_GetObjectSize()) != 1)
+		abort();
+	wolfSSL_CTX_free(ctx);
+}
+
+int enc_wolfSSL_Cleanup(void)
+{
+	wolfSSL_Cleanup();
+}
+
+void printf(const char *fmt, ...)
+{
+	char buf[BUFSIZ] = {'\0'};
+	va_list ap;
+	va_start(ap, fmt);
+	vsnprintf(buf, BUFSIZ, fmt, ap);
+	va_end(ap);
+	ocall_print_string(buf);
+}
+
+int sprintf(char* buf, const char *fmt, ...)
+{
+	va_list ap;
+	int ret;
+	va_start(ap, fmt);
+	ret = vsnprintf(buf, BUFSIZ, fmt, ap);
+	va_end(ap);
+	return ret;
+}
+
+double current_time(void)
+{
+	double curr;
+	ocall_current_time(&curr);
+	return curr;
+}
+
+int LowResTimer(void) /* low_res timer */
+{
+	int time;
+	ocall_low_res_time(&time);
+	return time;
+}
+
+size_t recv(int sockfd, void *buf, size_t len, int flags)
+{
+	size_t ret;
+	int sgxStatus;
+	sgxStatus = ocall_recv(&ret, sockfd, buf, len, flags);
+	return ret;
+}
+
+size_t send(int sockfd, const void *buf, size_t len, int flags)
+{
+	size_t ret;
+	int sgxStatus;
+	sgxStatus = ocall_send(&ret, sockfd, buf, len, flags);
+	return ret;
+}
+
+extern struct ra_tls_options my_ra_tls_options;
+
+int wolfssl_create_key
+(
+	uint8_t* der_key,
+	int* der_key_len,
+	uint8_t* der_cert,
+	int* der_cert_len,
+	const struct ra_tls_options* opts,
+	void* targetinfo, void* report
+)
+{
+	if (targetinfo == NULL || report == NULL) {
+		printf("input parameters in invalid!\n");
+		return -1;
+	}
+
+	/* Generate key. */
+	RsaKey genKey;
+	RNG    rng;
+	int    ret;
+
+	wc_InitRng(&rng);
+	wc_InitRsaKey(&genKey, 0);
+	ret = wc_MakeRsaKey(&genKey, 3072, 65537, &rng);
+	assert(ret == 0);
+
+	uint8_t der[4096];
+	int  derSz = wc_RsaKeyToDer(&genKey, der, sizeof(der));
+	assert(derSz >= 0);
+	assert(derSz <= (int) *der_key_len);
+
+	*der_key_len = derSz;
+	memcpy(der_key, der, derSz);
+
+	/* Generate certificate */
+	sgx_report_data_t report_data = {0, };
+	sha256_rsa_pubkey(report_data.d, &genKey);
+	sgx_target_info_t target_info = {0, };
+	memcpy(&target_info, targetinfo, sizeof(sgx_target_info_t));
+	sgx_report_t report_tmp = {0, };
+	sgx_status_t status = sgx_create_report(&target_info, &report_data, &report_tmp);
+
+	memcpy(report, &report_tmp, sizeof(sgx_report_t));
+
+	return status;
+}
+
+int create_key
+(
+	uint8_t* der_key,  /* out */
+	int* der_key_len,  /* in/out */
+	uint8_t* der_cert, /* out */
+	int* der_cert_len, /* in/out */
+	const struct ra_tls_options* opts, /* in */
+	void* targetinfo, void* report
+)
+{
+	return wolfssl_create_key(der_key, der_key_len, der_cert, der_cert_len, opts, targetinfo, report);
+}
+
+#ifdef WOLFSSL_SGX
+time_t XTIME(time_t* tloc) {
+	time_t x = 1512498557; /* Dec 5, 2017, 10:29 PDT */
+	if (tloc) *tloc = x;
+		return x;
+}
+
+time_t mktime(struct tm* tm) {
+	(void) tm;
+	assert(0);
+	return (time_t) 0;
+}
+#endif
+
+int enc_create_key_and_x509(WOLFSSL_CTX* ctx, void* targetinfo, void* report) {
+	uint8_t der_key[2048];
+	uint8_t der_cert[8 * 1024];
+	uint32_t der_key_len = sizeof(der_key);
+	uint32_t der_cert_len = sizeof(der_cert);
+
+	if( targetinfo == NULL || report == NULL)
+	{
+		printf("input parameters is valid!\n");
+		return -1;
+	}
+
+	return create_key(&der_key, &der_key_len,
+			&der_cert, &der_cert_len,
+			&my_ra_tls_options, targetinfo, report);
+}
--- a/stub_enclave/trusted/Wolfssl_Enclave.config.xml
+++ b/stub_enclave/trusted/Wolfssl_Enclave.config.xml
+<EnclaveConfiguration>
+  <ProdID>0</ProdID>
+  <ISVSVN>0</ISVSVN>
+  <StackMaxSize>0x400000</StackMaxSize>
+  <HeapMaxSize>0x1000000</HeapMaxSize>
+  <TCSNum>10</TCSNum>
+  <TCSPolicy>1</TCSPolicy>
+  <DisableDebug>0</DisableDebug>
+</EnclaveConfiguration>
--- a/stub_enclave/trusted/Wolfssl_Enclave.edl
+++ b/stub_enclave/trusted/Wolfssl_Enclave.edl
+/* Benchmark_Enclave.edl - Top EDL file. */
+enclave {
+	include "wolfssl/ssl.h"
+	include "wolfssl/wolfcrypt/settings.h"
+	include "wolfssl/wolfcrypt/types.h"
+
+	include "wolfcrypt/test/test.h"
+	include "wolfcrypt/benchmark/benchmark.h"
+	from "ra_tls.edl" import *;
+	trusted {
+		public int wc_test([user_check]void* args);
+		public int wc_benchmark_test([user_check]void* args);
+
+		public int enc_wolfSSL_Init(void);
+		public void enc_wolfSSL_Debugging_ON(void);
+		public void enc_wolfSSL_Debugging_OFF(void);
+		public WOLFSSL_METHOD* enc_wolfTLSv1_2_client_method(void);
+		public WOLFSSL_METHOD* enc_wolfTLSv1_2_server_method(void);
+		public WOLFSSL_CTX* enc_wolfSSL_CTX_new([user_check] WOLFSSL_METHOD* method);
+		public int enc_wolfSSL_CTX_use_PrivateKey_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+		public int enc_wolfSSL_CTX_load_verify_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+		public int enc_wolfSSL_CTX_use_certificate_chain_buffer_format([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+		public int enc_wolfSSL_CTX_use_certificate_buffer([user_check] WOLFSSL_CTX* ctx,
+												[in, size=sz] const unsigned char* buf,
+												long sz,
+												int type);
+		public int enc_wolfSSL_CTX_set_cipher_list([user_check] WOLFSSL_CTX* ctx,
+												[in, string] const char* list);
+		public WOLFSSL* enc_wolfSSL_new([user_check] WOLFSSL_CTX* ctx);
+		public int enc_wolfSSL_set_fd([user_check]WOLFSSL* ssl, int fd);
+		public int enc_wolfSSL_connect([user_check]WOLFSSL* ssl);
+		public int enc_wolfSSL_write([user_check]WOLFSSL* ssl,
+									 [in, size=sz] const void* in,
+									 int sz);
+		public int enc_wolfSSL_get_error([user_check]WOLFSSL* ssl,
+										 int ret);
+		public int enc_wolfSSL_read([user_check]WOLFSSL* ssl,
+									[out, size=sz]void* out,
+									int sz);
+		public void enc_wolfSSL_free([user_check]WOLFSSL* ssl);
+		public void enc_wolfSSL_CTX_free([user_check]WOLFSSL_CTX* ctx);
+		public int enc_wolfSSL_Cleanup(void);
+
+		public int enc_create_key_and_x509([user_check]WOLFSSL_CTX* ctx, [user_check]void* targetinfo, 
+											[user_check]void* report);
+	};
+
+	untrusted {
+		/* define OCALLs here. */
+		void ocall_print_string([in, string] const char* str);
+		void ocall_current_time([out] double* time);
+		void ocall_low_res_time([out] int* time);
+		size_t ocall_recv(int sockfd, [out, size=len] void *buf, size_t len, int flags) propagate_errno;
+		size_t ocall_send(int sockfd, [in, size=len] const void *buf, size_t len, int flags) propagate_errno;
+	};
+};
--- a/stub_enclave/trusted/Wolfssl_Enclave.h
+++ b/stub_enclave/trusted/Wolfssl_Enclave.h
+#ifndef _BENCHMARK_ENCLAVE_H_
+#define _BENCHMARK_ENCLAVE_H_
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+void printf(const char *fmt, ...);
+int sprintf(char* buf, const char *fmt, ...);
+double current_time(void);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /* !_BENCHMARK_ENCLAVE_H_ */
--- a/stub_enclave/trusted/Wolfssl_Enclave.lds
+++ b/stub_enclave/trusted/Wolfssl_Enclave.lds
+Benchmark_Enclave.so
+{
+	global:
+		g_global_data_sim;
+		g_global_data;
+		Benchmark_Enclave_entry;
+	local:
+		*;
+};
--- a/stub_enclave/trusted/Wolfssl_Enclave_private.pem
+++ b/stub_enclave/trusted/Wolfssl_Enclave_private.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAroOogvsj/fZDZY8XFdkl6dJmky0lRvnWMmpeH41Bla6U1qLZ
+AmZuyIF+mQC/cgojIsrBMzBxb1kKqzATF4+XwPwgKz7fmiddmHyYz2WDJfAjIveJ
+ZjdMjM4+EytGlkkJ52T8V8ds0/L2qKexJ+NBLxkeQLfV8n1mIk7zX7jguwbCG1Pr
+nEMdJ3Sew20vnje+RsngAzdPChoJpVsWi/K7cettX/tbnre1DL02GXc5qJoQYk7b
+3zkmhz31TgFrd9VVtmUGyFXAysuSAb3EN+5VnHGr0xKkeg8utErea2FNtNIgua8H
+ONfm9Eiyaav1SVKzPHlyqLtcdxH3I8Wg7yqMsaprZ1n5A1v/levxnL8+It02KseD
+5HqV4rf/cImSlCt3lpRg8U5E1pyFQ2IVEC/XTDMiI3c+AR+w2jSRB3Bwn9zJtFlW
+KHG3m1xGI4ck+Lci1JvWWLXQagQSPtZTsubxTQNx1gsgZhgv1JHVZMdbVlAbbRMC
+1nSuJNl7KPAS/VfzAgEDAoIBgHRXxaynbVP5gkO0ug6Qw/E27wzIw4SmjsxG6Wpe
+K7kfDeRskKxESdsA/xCrKkwGwhcx1iIgS5+Qscd1Yg+1D9X9asd/P7waPmWoZd+Z
+AhlKwhdPsO7PiF3e1AzHhGQwsUTt/Y/aSI1MpHBvy2/s1h9mFCslOUxTmWw0oj/Q
+ldIEgWeNR72CE2+jFIJIyml6ftnb6qzPiga8Bm48ubKh0kvySOqnkmnPzgh+JBD6
+JnBmtZbfPT97bwTT+N6rnPqOOApvfHPf15kWI8yDbprG1l4OCUaIUH1AszxLd826
+5IPM+8gINLRDP1MA6azECPjTyHXhtnSIBZCyWSVkc05vYmNXYUNiXWMajcxW9M02
+wKzFELO8NCEAkaTPxwo4SCyIjUxiK1LbQ9h8PSy4c1+gGP4LAMR8xqP4QKg6zdu9
+osUGG/xRe/uufgTBFkcjqBHtK5L5VI0jeNIUAgW/6iNbYXjBMJ0GfauLs+g1VsOm
+WfdgXzsb9DYdMa0OXXHypmV4GwKBwQDUwQj8RKJ6c8cT4vcWCoJvJF00+RFL+P3i
+Gx2DLERxRrDa8AVGfqaCjsR+3vLgG8V/py+z+dxZYSqeB80Qeo6PDITcRKoeAYh9
+xlT3LJOS+k1cJcEmlbbO2IjLkTmzSwa80fWexKu8/Xv6vv15gpqYl1ngYoqJM3pd
+vzmTIOi7MKSZ0WmEQavrZj8zK4endE3v0eAEeQ55j1GImbypSf7Idh7wOXtjZ7WD
+Dg6yWDrri+AP/L3gClMj8wsAxMV4ZR8CgcEA0fzDHkFa6raVOxWnObmRoDhAtE0a
+cjUj976NM5yyfdf2MrKy4/RhdTiPZ6b08/lBC/+xRfV3xKVGzacm6QjqjZrUpgHC
+0LKiZaMtccCJjLtPwQd0jGQEnKfMFaPsnhOc5y8qVkCzVOSthY5qhz0XNotHHFmJ
+gffVgB0iqrMTvSL7IA2yqqpOqNRlhaYhNl8TiFP3gIeMtVa9rZy31JPgT2uJ+kfo
+gV7sdTPEjPWZd7OshGxWpT6QfVDj/T9T7L6tAoHBAI3WBf2DFvxNL2KXT2QHAZ9t
+k3imC4f7U+wSE6zILaDZyzygA4RUbwG0gv8/TJVn2P/Eynf76DuWHGlaiLWnCbSz
+Az2DHBQBBaku409zDQym3j1ugMRjzzSQWzJg0SIyBH3hTmnYcn3+Uqcp/lEBvGW6
+O+rsXFt3pukqJmIV8HzLGGaLm62BHUeZf3dyWm+i3p/hQAL7Xvu04QW70xuGqdr5
+afV7p5eaeQIJXyGQJ0eylV/90+qxjMKiB1XYg6WYvwKBwQCL/ddpgOdHJGN8uRom
+e7Zq0Csi3hGheMKlKbN3vcxT5U7MdyHtTZZOJbTvxKNNUNYH/8uD+PqDGNneb29G
+BfGzvI3EASyLIcGZF3OhKwZd0jUrWk2y7Vhob91jwp2+t73vdMbkKyI4mHOuXvGv
+fg95si9oO7EBT+Oqvhccd2J+F1IVXncccYnF4u5ZGWt5lLewN/pVr7MjjykeaHqN
+t+rfnQam2psA6fL4zS2zTmZPzR2tnY8Y1GBTi0Ko1OKd1HMCgcAb5cB/7/AQlhP9
+yQa04PLH9ygQkKKptZp7dy5WcWRx0K/hAHRoi2aw1wZqfm7VBNu2SLcs90kCCCxp
+6C5sfJi6b8NpNbIPC+sc9wsFr7pGo9SFzQ78UlcWYK2Gu2FxlMjonhka5hvo4zvg
+WxlpXKEkaFt3gLd92m/dMqBrHfafH7VwOJY2zT3WIpjwuk0ZzmRg5p0pG/svVQEH
+NZmwRwlopysbR69B/n1nefJ84UO50fLh5s5Zr3gBRwbWNZyzhXk=
+-----END RSA PRIVATE KEY-----
--- a/stub_enclave/untrusted/App.c
+++ b/stub_enclave/untrusted/App.c
+#include "App.h" /* contains include of Enclave_u.h which has wolfSSL header files */
+#include "assert.h"
+#include <wolfssl/ssl.h>
+#include <wolfssl/certs_test.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#define MAX_PATH		4096
+#define ENCLAVE_FILENAME	"Wolfssl_Enclave.signed.so"
+#define PAL_VERSION		3
+
+/* Use Debug SGX ? */
+#if _DEBUG
+	#define DEBUG_VALUE SGX_DEBUG_FLAG
+#else
+	#define DEBUG_VALUE 1
+#endif
+
+static sgx_enclave_id_t global_eid = SGX_ERROR_INVALID_ENCLAVE_ID;
+static bool initialized = false;
+static unsigned int num = 0;
+
+struct pal_stdio_fds {
+	int stdin, stdout, stderr;
+};
+
+struct pal_create_process_args {
+	const char *path;
+	const char **argv;
+	const char **env;
+	const struct occlum_stdio_fds *stdio;
+	int *pid;
+};
+
+struct pal_exec_args {
+	int pid;
+	int *exit_value;
+};
+
+const char* get_enclave_absolute_path(char* instance_dir) {
+	static char enclave_path[MAX_PATH + 1] = {0};
+	strncat(enclave_path, instance_dir, MAX_PATH);
+	strncat(enclave_path, "/", MAX_PATH);
+	strncat(enclave_path, ENCLAVE_FILENAME, MAX_PATH);
+	return (const char*)enclave_path;
+}
+
+int pal_get_version(void) {
+    return PAL_VERSION;
+}
+
+int pal_init(const sgxsdk_pal_attr_t* attr) {
+	errno = 0;
+
+	if (attr == NULL) {
+		return -EINVAL;
+	}
+
+	if (attr->instance_dir == NULL) {
+		return -EINVAL;
+	}
+
+	PAL_INFO("attr->instance_dir = %s", attr->instance_dir);
+	sgx_enclave_id_t eid = pal_get_enclave_id();
+	if (eid != SGX_ERROR_INVALID_ENCLAVE_ID) {
+		PAL_ERROR("Enclave has been initialized.");
+		return -EEXIST;
+	}
+
+	sgx_enclave_id_t id;
+	sgx_launch_token_t t;
+
+	int ret = 0;
+	int updated = 0;
+
+	memset(t, 0, sizeof(sgx_launch_token_t));
+
+	char * enclave_path = get_enclave_absolute_path(attr->instance_dir);
+	PAL_INFO("enclave_path = %s", enclave_path);
+
+	ret = sgx_create_enclave(enclave_path, DEBUG_VALUE, &t, &updated, &id, NULL);
+	if (ret != SGX_SUCCESS) {
+		PAL_ERROR("Failed to create Enclave : error %d - %#x.", ret, ret);
+		return ret;
+	}
+
+	global_eid = id;
+	initialized = true;
+}
+
+int pal_create_process(struct pal_create_process_args *args)
+{
+	if (args->path == NULL || access(args->path, F_OK) != 0)
+		return -ENOENT;	
+
+	if (access(args->path, R_OK) != 0)
+		return -EACCES;
+
+	if (!args->stdio)
+		return -EINVAL;
+
+	if (!args->pid)
+		return -EINVAL;
+
+	if (!initialized) {
+		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+int pal_exec(struct pal_exec_args *args){
+	if (args->exit_value == NULL) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (num == 0) {
+		num ++;
+		while(1) {
+			printf("Hello World!\n");
+			printf("    - Powered by ACK-TEE and runE\n");
+			fflush(stdout);
+			sleep(3);
+		}
+	} else {
+		 printf("Hello stub enclave!\n");
+		 printf("    - Welcome to stub enclave\n");
+	}
+
+	return 0;
+}
+
+int pal_destroy(void)
+{
+	if (!initialized) {
+		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
+		return -1;
+	}
+
+	PAL_INFO("enclave runtime sgxsdk exits");
+	return 0;
+}
+
+int pal_get_local_report(void *targetinfo, int targetinfo_len, void *report, int* report_len) {
+	/* 0. check the args */
+	if (!initialized) {
+		PAL_ERROR("enclave runtime sgxsdk uninitialized yet!");
+	}
+
+	if (targetinfo == NULL || targetinfo_len != sizeof(sgx_target_info_t)) {
+		PAL_ERROR("Input parameter targetinfo is NULL or targentinfo_len is not enough!");
+		return -EINVAL;
+	}
+
+	if (report == NULL || report_len == NULL || *report_len < sizeof(sgx_report_t)) {
+		PAL_ERROR("Input parameter report is NULL or report_len is not enough!");
+		return -EINVAL;
+	}
+
+	sgx_enclave_id_t eid = pal_get_enclave_id();
+	if (eid == SGX_ERROR_INVALID_ENCLAVE_ID) {
+		PAL_ERROR("Enclave has not been initialized!");
+		return -EINVAL;
+	}
+
+	int sgxStatus;
+	int ret = 0;
+	WOLFSSL_METHOD* method;
+	WOLFSSL_CTX*    ctx;
+
+	/* 1. generate mTLS keys and the correspondings hash values */
+	/* Initialize wolfSSL */
+	enc_wolfSSL_Init(eid, &sgxStatus);
+
+#ifdef SGX_DEBUG
+	enc_wolfSSL_Debugging_ON(global_eid);
+#else
+	enc_wolfSSL_Debugging_OFF(global_eid);
+#endif
+
+	sgxStatus = enc_wolfTLSv1_2_server_method(global_eid, &method);
+	if (sgxStatus != SGX_SUCCESS || method == NULL) {
+		PAL_ERROR("wolfTLSv1_2_server_method failure");
+		return EXIT_FAILURE;
+	}
+
+	sgxStatus = enc_wolfSSL_CTX_new(global_eid, &ctx, method);
+	if (sgxStatus != SGX_SUCCESS || ctx == NULL) {
+		PAL_ERROR("wolfSSL_CTX_new failure");
+		return EXIT_FAILURE;
+	}
+
+	/* Load server certificates into WOLFSSL_CTX */
+	sgxStatus = enc_wolfSSL_CTX_use_certificate_buffer(global_eid, &ret, ctx,
+		server_cert_der_2048, sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1);
+	if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+		PAL_ERROR("enc_wolfSSL_CTX_use_certificate_chain_buffer_format failure");
+		return EXIT_FAILURE;
+	}
+
+	/* Load server key into WOLFSSL_CTX */
+	sgxStatus = enc_wolfSSL_CTX_use_PrivateKey_buffer(global_eid, &ret, ctx,
+		server_key_der_2048, sizeof_server_key_der_2048, SSL_FILETYPE_ASN1);
+	if (sgxStatus != SGX_SUCCESS || ret != SSL_SUCCESS) {
+		PAL_ERROR("wolfSSL_CTX_use_PrivateKey_buffer failure");
+		return EXIT_FAILURE;
+	}
+
+	sgxStatus = enc_create_key_and_x509(global_eid, &ret, ctx, targetinfo, report);
+	if (sgxStatus != SGX_SUCCESS || ret != SGX_SUCCESS ) {
+		PAL_ERROR("enc_create_key_and_x509 failure");
+		return EXIT_FAILURE;
+	}
+
+	/* 3. return report */
+	targetinfo_len = sizeof(sgx_target_info_t);
+	*report_len = sizeof(sgx_report_t);
+
+	enc_wolfSSL_CTX_free(global_eid, ctx);
+
+	return ret;
+}
+
+sgx_enclave_id_t pal_get_enclave_id(void) {
+	return global_eid;
+}
+
+static double current_time()
+{
+	struct timeval tv;
+	gettimeofday(&tv,NULL);
+
+	return (double)(1000000 * tv.tv_sec + tv.tv_usec)/1000000.0;
+}
+
+void ocall_print_string(const char *str)
+{
+	/* Proxy/Bridge will check the length and null-terminate 
+	*      * the input string to prevent buffer overflow. 
+	*           */ 
+	printf("%s", str);
+}
+
+void ocall_current_time(double* time)
+{
+	if(!time) 
+		return;
+	*time = current_time();
+	return;
+}
+
+void ocall_low_res_time(int* time)
+{
+	struct timeval tv;
+	if(!time) 
+		return;
+	*time = tv.tv_sec;
+	return;
+}
+
+size_t ocall_recv(int sockfd, void *buf, size_t len, int flags)
+{
+	return recv(sockfd, buf, len, flags);
+}
+
+size_t ocall_send(int sockfd, const void *buf, size_t len, int flags)
+{
+	return send(sockfd, buf, len, flags);
+}
--- a/stub_enclave/untrusted/App.h
+++ b/stub_enclave/untrusted/App.h
+/* App.h
+*
+* Copyright (C) 2006-2016 wolfSSL Inc.
+*
+* This file is part of wolfSSL.
+*
+* wolfSSL is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2 of the License, or
+* (at your option) any later version.
+*
+* wolfSSL is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; if not, write to the Free Software
+* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+*/
+
+#ifndef BENCHMARKS_H
+#define BENCHMARKS_H
+
+#include "sgx_urts.h"	/* Manages Enclave */
+#include <sys/types.h>	/* for send/recv */
+#include <sys/socket.h>	/* for send/recv */
+
+#include "Wolfssl_Enclave_u.h"	/* contains untrusted wrapper functions used to call enclave functions */
+
+#define BENCH_RSA
+#define ENCLAVE_FILENAME "Wolfssl_Enclave.signed.so"
+
+enum BenchmarkBounds {
+	/* these numbers are lower then default wolfSSL one to collect benchmark values faster for GUI */
+	numBlocks = 10, /* how many megs to test */
+	ntimes = 30 /* how many itteration to run RSA decrypt/encrypt */
+};
+
+#endif
+
+typedef struct sgxsdk_pal_attr {
+	const char *instance_dir;
+	const char *log_level;
+} sgxsdk_pal_attr_t;
+
+#define PAL_DEBUG(fmt, ...) \
+	fprintf(stderr, "[DEBUG] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
+#define PAL_INFO(fmt, ...) \
+	fprintf(stderr, "[INFO] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
+#define PAL_WARN(fmt, ...) \
+	fprintf(stderr, "[WARM] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
+#define PAL_ERROR(fmt, ...) \
+	fprintf(stderr, "[ERROR] stub-enclave: " fmt " (line %d, file %s)\n", ##__VA_ARGS__, __LINE__, __FILE__)
+
+int pal_init(const sgxsdk_pal_attr_t* instance_dir);
+sgx_enclave_id_t pal_get_enclave_id(void);
--- a/stub_enclave/untrusted/sgxsdk-ra-attester_u.c
+++ b/stub_enclave/untrusted/sgxsdk-ra-attester_u.c
+#include <assert.h>
+#include <stdlib.h>
+
+#include <sgx_uae_service.h>
+
+#include <ra.h>
+#include <ra-attester.h>
+// #include <ias-ra.h>
+
+/* Untrusted code to do remote attestation with the SGX SDK. */
+
+void ocall_remote_attestation
+(
+    sgx_report_t* report,
+    const struct ra_tls_options* opts,
+    attestation_verification_report_t* attn_report
+)
+{
+    // produce quote
+    uint32_t quote_size;
+    sgx_calc_quote_size(NULL, 0, &quote_size);
+    
+    sgx_quote_t* quote = (sgx_quote_t*) calloc(1, quote_size);
+    
+    sgx_status_t status;
+    status = sgx_get_quote(report,
+                           opts->quote_type,
+                           &opts->spid,
+                           NULL,
+                           NULL,
+                           0,
+                           NULL,
+                           quote,
+                           quote_size);
+    assert(SGX_SUCCESS == status);
+
+    // verify against IAS
+    // obtain_attestation_verification_report(quote, quote_size, opts, attn_report);
+}
+
+void ocall_sgx_init_quote
+(
+    sgx_target_info_t* target_info
+)
+{
+    sgx_epid_group_id_t gid;
+    sgx_status_t status = sgx_init_quote(target_info, &gid);
+    assert(status == SGX_SUCCESS);
+}