Intel Software Guard Extensions (SGX)

In 2015, Intel introduced Software Guard Extension (SGX), starting with the 6th Generation Core processors, to address threats like memory bus snooping and cold boot attacks. SGX enables developers to create secure enclaves, partition applications, and protect specific code and data within these isolated environments. Access to the memory of an enclave is restricted to authorized code only, and SGX utilizes hardware-based memory encryption to safeguard the contents—unauthorized attempts to access or tamper with the enclave's memory trigger exceptions. SGX enhances security by adding 18 new instructions to Intel's ISA and facilitating secure offloading of computations to untrustworthy environments, such as hosting applications, kernels, SMM, and peripheral devices. However, the overall security of SGX relies on the integrity of the firmware and microcode that implement its features.

The Enclave Page Cache (EPC) serves as a special memory region containing the code and data of enclaves. Each page within the EPC is encrypted using the Memory Encryption Engine (MEE). The Enclave Page Cache Map (EPCM) stores metadata for each page, including configuration, permissions, and page type. During boot time, keys are generated and utilized for decrypting the contents of encrypted pages inside the CPU. The MEE securely controls these keys, preventing exposure to external entities. As a result, only the specific CPU that encrypted the memory can decrypt it, and the keys remain inaccessible to any software. Additionally, privileged software outside enclaves is restricted from reading or writing to the EPC or EPCM pages.

SGX provides local and remote attestation mechanisms to ensure the integrity and authenticity of enclaves. Local attestation establishes trust between two enclaves within the same platform. In this process, one enclave generates a report and signs it using the identity information of the other enclave. The second enclave verifies the report using its Report Key. Remote attestation becomes necessary when a third party needs to establish trust with a remotely executed enclave before provisioning it with secrets. SGX utilizes a specialized architectural enclave called the Quoting Enclave (QE) to perform remote attestation. The QE receives a report from another enclave, verifies it locally, and transforms it into a remotely verifiable quote signed with the Attestation Key. The relying party sends this quote to the Intel Attestation Service (IAS) to verify the trustworthiness of the SGX enclave. The QE ensures a secure environment for transforming reports into quotes and prevents modifications or falsifications. Intel also offers Data Center Attestation Primitives (DCAP), a collection of software packages for data centers to establish their ECDSA attestation infrastructures for SGX enclave attestation.