SGX Enclave Memory
The trust boundary perimeter is the processor chip (core, cache, and memory controller). So, the memory of the SGX enclave, when it resides outside of the processor chip (DRAM) is also encrypted.
The memory encryption key is chosen at random after every processor reset.
Values read from memory are checked to see if they match what was written (if not the processor hangs). This is done on a cache-line granularity (64 bytes) using a memory integrity tree. For details, see here
Very small performance penalty if the SGX enclave memory footprint fits in the processor caches.
Instructions
Ring 0 instructions.
ECREATE,EADDandEINITare used for Enclave Page Cache (EPC) management - executed by privileged software such as an OS or a VMM.The EPC is an untrusted secure storage area used by the enclave; each 4KiB page has some security attributes that are stored in the Enclave Page Cache Map (EPCM), which is not accessible by software.
Ring 3 instructions.
EENTER,EEXIT,EGETKEY,EREPORTandERESUMEare used by the user space software to execute functionality within or between enclaves.
Illegal instructions inside an enclave.
cpuid,rdtsc, input and output instructions and some others are not allowed.rdrand/rdseedare allowed and can be virtualized.
Creation (
ECREATE)Loading (
EADD,EEXTEND)Initialization (
EINIT)Enter/Exit the Enclave (
EENTER/EEXIT)Teardown (
EREMOVE)
Toolkit requirements
Hardware
Intel 6th Generation Coe processor or newer.
64-bit operating system
Ubuntu 16.04, 18.04 or 20.04 LTS.
Red Hat 7.6 or 8.2.
CentOS 8.2.
Fedora 31.
BIOS support (enabling SGaX will reserve up to 128 MiB of memory for the exclusive use of SGX enclaves).
It's also possible to install it on Windows 10.
Toolkit components
Intel SGX kernel driver.
Intel SGX PSW (Platform Software Package).
Intel SGX SDK.
Programming languages: C and C++.
Does my processor and OS support SGX (after BIOS configuration)?
cpuid -l | grep SGXIf yes:
SGX: Software Guard Extensions supported = trueSGX_LC: SGX launch config supported = true
Linux driver installation
Install needed packages:
sudo apt install build-essential ocaml automake autoconf libtool && wget python3 libssl-dev dkmsDownload driver.
Install the Dynamic kernel Module Support (DKMS) driver:
sudo bash sgx_linux_x64_driver_1.41.binIf you are using secure boot, the kernel module must be signed, which requires generating a new Machine-Owner Key (MOK). Just follow the instructions (a reboot will be required).
The module location is
/lib/modules/5.8.0-48-generic/updates/dkms/intel_sgx.koand the module name is (obviously) intel_sgx.
PSW installation
Install needed packages:
sudo apt install libssl-dev libcurl4-openssl-dev libprotobuf-devRun the following commands:
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.listwget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.ke y | sudo apt-key add -sudo apt updatesudo apt install libsgx-launch libsgx-urtssudo apt install libsgx-epid libsgx-urts
SDK Installation
Do the following:
wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubunt u20.04-server/sgx_linux_x64_sdk_2.13.100.4.binsudo bash sgx_linux_x64_sdk_2.13.100.4.binAnswer NO and choose
/opt/intelas the installation directory.
Copy the contents of
/opt/intel/sgxsdk/environmentto your.bashrcwget https://download.01.org/intel-sgx/latest/linux-latest/as.ld.objdum p.gold.r3.tar.gztar xzvf as.ld.objdump.gold.r3.tar.gz external/toolset/ubuntu20.04sudo cp -v external/toolset/ubuntu20.04/* /usr/local/bin/
Test
Do the following:
mkdir tmp
cd tmp
cp -av /opt/intel/sgxsdk/SampleCode/SampleEnclave .
cd SampleEnclave
make SGX_DEBUG=0 SGX_PRERELEASE=1
./app
make cleanThe output should be:
Checksum(0x0x7ffeac1ee4f0, 100) = 0xfffd4143
Info: executing thread synchronization, please wait...
Info: SampleEnclave successfully returned.
Enter a character before exit ...Last updated