About SGX ecall interface

[blossomin]

I want to discuss one general design about Intel SGX:

If I want to write a native enclave application, I need to specify the ecall/ocall interface in the xxx.edl file before we can build an enclave and launch it.

Then my question is: after an enclave has be launched, will it be possible to construct new ecall/ocall interface?
To my understanding, by specify these interfaces in xxx.edl file, the sgx sdk can generate some glue codes. If the malicious enclave application can provide/generate "ecall" interface inside the enclave and the colluded operating system will provide the glue code outside the enclave, then I guess it might be possible to have new ecall/ocall interfaces? But I'm not sure how to let the code inside the enclave know which function it wants to call outside the enclave when it wants to call ocall instruction.

Could you share some insight on this issue?

Best,
Blossomin

[dimakuv]

I replied in another thread: #1465 (reply in thread)

Please close the threads that you consider answered. Ideally, keep just one thread with all such questions; there's no need to create separate threads.