Secure Execution Environments

SGX Enclave Memory

The trust boundary perimeter is the processor chip (core, cache, and memory controller). So, the memory of the SGX enclave, when it resides outside of the processor chip (DRAM) is also encrypted.

The memory encryption key is chosen at random after every processor reset.

Values read from memory are checked to see if they match what was written (if not the processor hangs). This is done on a cache-line granularity (64 bytes) using a memory integrity tree. For details, see here

Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.

Instructions

  • Ring 0 instructions.

    • ECREATE, EADD and EINIT are used for Enclave Page Cache (EPC) management - executed by privileged software such as an OS or a VMM.

    • The EPC is an untrusted secure storage area used by the enclave; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.

  • Ring 3 instructions.

    • EENTER, EEXIT, EGETKEY, EREPORT and ERESUME are used by the user space software to execute functionality within or between enclaves.

  • Illegal instructions inside an enclave.

    • cpuid, rdtsc, input and output instructions and some others are not allowed.

    • rdrand/rdseed are allowed and can be virtualized.

Life cycle

  1. Creation (ECREATE)

  2. Loading (EADD, EEXTEND)

  3. Initialization (EINIT)

  4. Enter/Exit the Enclave (EENTER/EEXIT)

  5. Teardown (EREMOVE)

Toolkit requirements

Hardware

  • Intel 6th Generation Coe processor or newer.

64-bit operating system

  • Ubuntu 16.04, 18.04 or 20.04 LTS.

  • Red Hat 7.6 or 8.2.

  • CentOS 8.2.

  • Fedora 31.

BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).

It's also possible to install it on Windows 10.

Toolkit components

  • Intel SGX kernel driver.

  • Intel SGX PSW (Platform Software Package).

  • Intel SGX SDK.

Programming languages: C and C++.

Does my processor and OS support SGX (after BIOS configuration)?

  • cpuid -l | grep SGX

  • If yes:

    • SGX: Software Guard Extensions supported = true

    • SGX_LC: SGX launch config supported = true

Linux driver installation

  1. Install needed packages: sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkms

  2. Download driver.

  3. Install the Dynamic kernel Module Support (DKMS) driver: sudo bash sgx_linux_x64_driver_1.41.bin

  4. If you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).

  5. The module location is /lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.ko and the module name is (obviously) intel_sgx.

PSW installation

  1. Install needed packages: sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-dev

  2. Run the following commands:

    1. echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list

    2. wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -

    3. sudo apt update

    4. sudo apt install libsgx-launch libsgx-urts

    5. sudo apt install libsgx-epid libsgx-urts

SDK Installation

Do the following:

  1. wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.bin

  2. sudo bash sgx_linux_x64_sdk_2.13.100.4.bin

    1. Answer NO and choose /opt/intel as the installation directory.

  3. Copy the contents of /opt/intel/sgxsdk/environment to your .bashrc

  4. wget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gz

  5. tar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04

  6. sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/

Test

Do the following:

mkdir tmp
cd tmp
cp -av /opt/intel/sgxsdk/SampleCode/SampleEnclave .
cd SampleEnclave
make SGX_DEBUG=0 SGX_PRERELEASE=1
./app
make clean

The output should be:

Checksum(0x0x7ffeac1ee4f0, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...
PreviousWhat is SGX (Software Guard eXtensions)?NextGuidelines for designing applications using SGX

Last updated