Skip to content

Add dedicated windows-enclaves crate #3788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 15 commits into from
Closed

Add dedicated windows-enclaves crate #3788

wants to merge 15 commits into from
+1,581 −40

Conversation

@kennykerr
Copy link
Collaborator

@kennykerr kennykerr commented Oct 6, 2025
edited
Loading

The Win32 metadata includes some support for Windows virtualization-based security enclaves but these APIs are a little tricky because you need to import the APIs from a different system library depending on whether you are inside or outside of the enclave. This update thus does the following:

  • Remaps the general-purpose enclave APIs so that they are imported by default from kernel32.dll for crates like windows and windows-sys.
  • Adds a dedicated windows-enclaves crate that provides dedicated bindings for use within an enclave where all of the functions provided by this crate are specifically imported from vertdll.dll.

I'm opening this PR for testing and validation as I am not too familiar with enclaves. Hopefully this will help make using enclaves easier from Rust.

kennykerr
kennykerr commented Oct 6, 2025
View reviewed changes
joshwatson
joshwatson reviewed Oct 14, 2025
View reviewed changes
joshwatson
joshwatson reviewed Oct 14, 2025
View reviewed changes
joshwatson
joshwatson reviewed Oct 14, 2025
View reviewed changes
@kennykerr
Copy link
Collaborator Author

kennykerr commented Oct 17, 2025
edited
Loading

I have excluded all Enclave functions exported by vertdll.dll from the windows and windows-sys crates with the exception of CallEnclave and TerminateEnclave. The following Enclave functions remain. The metadata for these all indicate some library other than vertdll.dll.

kernel32.dll:

  • CreateEnclave
  • InitializeEnclave
  • IsEnclaveTypeSupported
  • LoadEnclaveData

api-ms-win-core-enclave-l1-1-1.dll:

  • DeleteEnclave
  • LoadEnclaveImageA
  • LoadEnclaveImageW

It seems these should all just be loaded from kernel32.dll.

@riverar
Copy link
Collaborator

riverar commented Oct 17, 2025

Not all those APIs are implemented in kernel32 sadly. (Those last three are in kernelbase for example.)

riverar
riverar reviewed Oct 17, 2025
View reviewed changes
@kennykerr
Copy link
Collaborator Author

Sigh, it looks like various Enclave APIs intended to be called from outside of the Enclave are not exclusively exported from kernel32.dll and thus a simple workaround for the faulty metadata isn't really feasible.

@joshwatson
Copy link

Sigh, it looks like various Enclave APIs intended to be called from outside of the Enclave are not exclusively exported from kernel32.dll and thus a simple workaround for the faulty metadata isn't really feasible.

It should only be that CallEnclave needed a workaround; the rest of the host process APIs should already have the correct metadata. The CallEnclave metadata should also be correct now as well, I had the authors update it: https://learn.microsoft.com/en-us/windows/win32/api/enclaveapi/nf-enclaveapi-callenclave

Is the metadata not what the microsoft learn pages are generated from? Is there somewhere else I should just get the metadata updated so that the windows and windows-sys crates generate the right bindings without workarounds?

@kennykerr
Copy link
Collaborator Author

Is the metadata not what the microsoft learn pages are generated from?

Sadly not yet. Hopefully we get to the point of having canonical metadata in future.

https://github.com/microsoft/windows-rs/tree/master/crates/libs/bindgen/default

https://kennykerr.ca/rust-getting-started/how-are-crates-built.html

uint-nate
uint-nate reviewed Oct 29, 2025
View reviewed changes
crates/libs/enclaves/src/bindings.rs
}
}
pub type HANDLE = *mut core::ffi::c_void;
pub type HEAP_FLAGS = u32;
Copy link
Contributor

@uint-nate uint-nate Oct 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be nice if the constants for HEAP_FLAGS and other enum/integer + #define style types ended up in here as well, like how it works here

@kennykerr
Copy link
Collaborator Author

Closing for now. Happy to keep chatting about this and help you guys get an Enclaves crate published. It looks like you have a few repos like VbsEnclaveTooling and vbs-enclave-rs to potentially host this and own it outright, which probably makes the most sense since I don't know the first thing about how to test and support Enclaves.

@kennykerr kennykerr closed this Nov 3, 2025
@bbonaby bbonaby mentioned this pull request Nov 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@riverar riverar riverar left review comments

+2 more reviewers

@uint-nate uint-nate uint-nate left review comments

@joshwatson joshwatson joshwatson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kennykerr @riverar @joshwatson @uint-nate