SGX Enclave Memory
Last updated
Secure Execution Environments
Last updated
The trust boundary perimeter is the processor chip (core, cache, and memory controller). So, the memory of the SGX enclave, when it resides outside of the processor chip (DRAM) is also encrypted.
The memory encryption key is chosen at random after every processor reset.
Values read from memory are checked to see if they match what was written (if not the processor hangs). This is done on a cache-line granularity (64 bytes) using a memory integrity tree. For details, see here
Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.
Ring 0 instructions.
ECREATE, EADD and EINIT are used for Enclave Page Cache (EPC) management - executed by privileged software such as an OS or a VMM.
The EPC is an untrusted secure storage area used by the enclave; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.
Ring 3 instructions.
EENTER, EEXIT, EGETKEY, EREPORT and ERESUME are used by the user space software to execute functionality within or between enclaves.
Illegal instructions inside an enclave.
cpuid, rdtsc, input and output instructions and some others are not allowed.
rdrand/rdseed are allowed and can be virtualized.
Creation (ECREATE)
Loading (EADD, EEXTEND)
Initialization (EINIT)
Enter/Exit the Enclave (EENTER/EEXIT)
Teardown (EREMOVE)
Intel 6th Generation Coe processor or newer.
Ubuntu 16.04, 18.04 or 20.04 LTS.
Red Hat 7.6 or 8.2.
CentOS 8.2.
Fedora 31.
BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).
It's also possible to install it on Windows 10.
Intel SGX kernel driver.
Intel SGX PSW (Platform Software Package).
Intel SGX SDK.
Programming languages: C and C++.
Does my processor and OS support SGX (after BIOS configuration)?
cpuid -l | grep SGX
If yes:
SGX: Software Guard Extensions supported = true
SGX_LC: SGX launch config supported = true
Install needed packages: sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkms
Download driver.
Install the Dynamic kernel Module Support (DKMS) driver: sudo bash sgx_linux_x64_driver_1.41.bin
If you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).
The module location is /lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.ko and the module name is (obviously) intel_sgx.
Install needed packages: sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-dev
Run the following commands:
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -
sudo apt update
sudo apt install libsgx-launch libsgx-urts
sudo apt install libsgx-epid libsgx-urts
Do the following:
wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.bin
sudo bash sgx_linux_x64_sdk_2.13.100.4.bin
Answer NO and choose /opt/intel as the installation directory.
Copy the contents of /opt/intel/sgxsdk/environment to your .bashrc
wget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gz
tar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04
sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/
Do the following:
The output should be:
