# SGX Enclave Memory

**The trust boundary perimeter is the processor chip** (core, cache, and memory controller). So, the **memory of the SGX enclave**, when it resides **outside of the processor** chip (DRAM) **is also encrypted**.

The memory **encryption key is chosen at random after every processor reset**.

**Values read from memory are checked to see if they match what was written** (if not the processor hangs). This is done on a cache-line granularity (64 bytes) using a memory integrity tree. For details, see [here](https://eprint.iacr.org/2016/204.pdf)

Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.

## Instructions

* Ring 0 instructions.
  * `ECREATE`, `EADD` and `EINIT` are used for Enclave Page Cache (EPC) management - **executed by privileged software such as an OS or a VMM**.
  * The EPC is an **untrusted secure storage area used by the enclave**; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.
* Ring 3 instructions.
  * `EENTER`, `EEXIT`, `EGETKEY`, `EREPORT` and `ERESUME` are used by the user space software to execute functionality within or between enclaves.
* Illegal instructions inside an enclave.
  * `cpuid`, `rdtsc`, **input and output** **instructions** and some others **are not allowed**.
  * `rdrand`/`rdseed` are **allowed and can be virtualized**.

## [Life cycle](https://software.intel.com/content/dam/develop/external/us/en/documents/intelsgxenclavelifecycle.pdf)

<figure><img src="https://234178705-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlSLj4wxc6NsT415otBid%2Fuploads%2FX282pCTAkNn0tkIJdHrQ%2Fimage.png?alt=media&#x26;token=d95a73c5-f9aa-45fc-8a7e-b520152a3e3c" alt=""><figcaption></figcaption></figure>

1. Creation (`ECREATE`)
2. Loading (`EADD`, `EEXTEND`)
3. Initialization (`EINIT`)
4. Enter/Exit the Enclave (`EENTER`/`EEXIT`)
5. Teardown (`EREMOVE`)

## [Toolkit](https://github.com/intel/linux-sgx) requirements

### Hardware

* Intel 6th Generation Coe processor or newer.

### 64-bit operating system

* Ubuntu 16.04, 18.04 or 20.04 LTS.
* Red Hat 7.6 or 8.2.
* CentOS 8.2.
* Fedora 31.

BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).

It's also possible to install it on Windows 10.

### Toolkit components

* Intel SGX kernel driver.
* Intel SGX PSW (Platform Software Package).
* Intel SGX SDK.

Programming languages: **C** and **C++**.

Does my processor and OS support SGX (after BIOS configuration)?

* `cpuid -l | grep SGX`
* If yes:
  * `SGX: Software Guard Extensions supported = true`
  * `SGX_LC: SGX launch config supported = true`

## Linux driver installation

1. Install needed packages: `sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkms`
2. Download [driver](https://01.org/intel-software-guard-extensions/downloads).
3. Install the Dynamic kernel Module Support (DKMS) driver: `sudo bash sgx_linux_x64_driver_1.41.bin`
4. If you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).
5. The module location is `/lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.ko` and the module name is (obviously) intel\_sgx.

## PSW installation

1. Install needed packages: `sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-dev`
2. Run the following commands:
   1. `echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list`
   2. `wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -`
   3. `sudo apt update`
   4. `sudo apt install libsgx-launch libsgx-urts`
   5. `sudo apt install libsgx-epid libsgx-urts`

## SDK Installation

Do the following:

1. `wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.bin`
2. `sudo bash sgx_linux_x64_sdk_2.13.100.4.bin`
   1. **Answer NO** and choose `/opt/intel` as the installation directory.
3. Copy the contents of `/opt/intel/sgxsdk/environment` to your `.bashrc`
4. `wget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gz`
5. `tar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04`
6. `sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/`

### Test

Do the following:

```
mkdir tmp
cd tmp
cp -av /opt/intel/sgxsdk/SampleCode/SampleEnclave .
cd SampleEnclave
make SGX_DEBUG=0 SGX_PRERELEASE=1
./app
make clean
```

The output should be:

```
Checksum(0x0x7ffeac1ee4f0, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/secure-execution-environments/intel-software-guard-extensions/sgx-enclave-memory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.