SGX Enclave Memory

Last updated 10 months ago

SGX Enclave Memory

The trust boundary perimeter is the processor chip (core, cache, and memory controller). So, the memory of the SGX enclave, when it resides outside of the processor chip (DRAM) is also encrypted.

The memory encryption key is chosen at random after every processor reset.

Values read from memory are checked to see if they match what was written (if not the processor hangs). This is done on a cache-line granularity (64 bytes) using a memory integrity tree. For details, see

Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.

Instructions

Ring 0 instructions.
- ECREATE, EADD and EINIT are used for Enclave Page Cache (EPC) management - executed by privileged software such as an OS or a VMM.
- The EPC is an untrusted secure storage area used by the enclave; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.
Ring 3 instructions.
- EENTER, EEXIT, EGETKEY, EREPORT and ERESUME are used by the user space software to execute functionality within or between enclaves.
Illegal instructions inside an enclave.
- cpuid, rdtsc, input and output instructions and some others are not allowed.
- rdrand/rdseed are allowed and can be virtualized.

Creation (ECREATE)
Loading (EADD, EEXTEND)
Initialization (EINIT)
Enter/Exit the Enclave (EENTER/EEXIT)
Teardown (EREMOVE)

Hardware

Intel 6th Generation Coe processor or newer.

64-bit operating system

Ubuntu 16.04, 18.04 or 20.04 LTS.
Red Hat 7.6 or 8.2.
CentOS 8.2.
Fedora 31.

BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).

It's also possible to install it on Windows 10.

Toolkit components

Intel SGX kernel driver.
Intel SGX PSW (Platform Software Package).
Intel SGX SDK.

Programming languages: C and C++.

Does my processor and OS support SGX (after BIOS configuration)?

cpuid -l | grep SGX
If yes:
- SGX: Software Guard Extensions supported = true
- SGX_LC: SGX launch config supported = true

Linux driver installation

Install needed packages: sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkms
Install the Dynamic kernel Module Support (DKMS) driver: sudo bash sgx_linux_x64_driver_1.41.bin
If you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).
The module location is /lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.ko and the module name is (obviously) intel_sgx.

PSW installation

Install needed packages: sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-dev
Run the following commands:
1. echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
2. wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -
3. sudo apt update
4. sudo apt install libsgx-launch libsgx-urts
5. sudo apt install libsgx-epid libsgx-urts

SDK Installation

Do the following:

wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.bin
sudo bash sgx_linux_x64_sdk_2.13.100.4.bin
1. Answer NO and choose /opt/intel as the installation directory.
Copy the contents of /opt/intel/sgxsdk/environment to your .bashrc
wget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gz
tar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04
sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/

Test

Do the following:

mkdir tmp
cd tmp
cp -av /opt/intel/sgxsdk/SampleCode/SampleEnclave .
cd SampleEnclave
make SGX_DEBUG=0 SGX_PRERELEASE=1
./app
make clean

The output should be:

Checksum(0x0x7ffeac1ee4f0, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...

Last updated 10 months ago

The memory encryption key is chosen at random after every processor reset.

Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.

Instructions

Ring 0 instructions.
- ECREATE, EADD and EINIT are used for Enclave Page Cache (EPC) management - executed by privileged software such as an OS or a VMM.
- The EPC is an untrusted secure storage area used by the enclave; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.
Ring 3 instructions.
- EENTER, EEXIT, EGETKEY, EREPORT and ERESUME are used by the user space software to execute functionality within or between enclaves.
Illegal instructions inside an enclave.
- cpuid, rdtsc, input and output instructions and some others are not allowed.
- rdrand/rdseed are allowed and can be virtualized.

Creation (ECREATE)
Loading (EADD, EEXTEND)
Initialization (EINIT)
Enter/Exit the Enclave (EENTER/EEXIT)
Teardown (EREMOVE)

requirements

Hardware

Intel 6th Generation Coe processor or newer.

64-bit operating system

Ubuntu 16.04, 18.04 or 20.04 LTS.
Red Hat 7.6 or 8.2.
CentOS 8.2.
Fedora 31.

BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).

It's also possible to install it on Windows 10.

Toolkit components

Intel SGX kernel driver.
Intel SGX PSW (Platform Software Package).
Intel SGX SDK.

Programming languages: C and C++.

Does my processor and OS support SGX (after BIOS configuration)?

cpuid -l | grep SGX
If yes:
- SGX: Software Guard Extensions supported = true
- SGX_LC: SGX launch config supported = true

Linux driver installation

Install needed packages: sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkms
Download .
Install the Dynamic kernel Module Support (DKMS) driver: sudo bash sgx_linux_x64_driver_1.41.bin
If you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).
The module location is /lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.ko and the module name is (obviously) intel_sgx.

PSW installation

Install needed packages: sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-dev
Run the following commands:
1. echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
2. wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -
3. sudo apt update
4. sudo apt install libsgx-launch libsgx-urts
5. sudo apt install libsgx-epid libsgx-urts

SDK Installation

Do the following:

wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.bin
sudo bash sgx_linux_x64_sdk_2.13.100.4.bin
1. Answer NO and choose /opt/intel as the installation directory.
Copy the contents of /opt/intel/sgxsdk/environment to your .bashrc
wget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gz
tar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04
sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/

Test

Do the following:

mkdir tmp
cd tmp
cp -av /opt/intel/sgxsdk/SampleCode/SampleEnclave .
cd SampleEnclave
make SGX_DEBUG=0 SGX_PRERELEASE=1
./app
make clean

The output should be:

Checksum(0x0x7ffeac1ee4f0, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...