What is Intel SGX
Intel Software Guard Extensions (SGX), is a set of security architecture extensions first introduced in the Skylake microarchitecture that enables a Trusted Execution Environment (TEE). It provides an ‘inverse sandbox’, for sensitive programs, and guarantees the integrity and confidentiality of secure computations even from the most privileged malicious software (e.g. OS, Hypervisor).
Intel SGX allows the creation of secure enclaves that can keep and be trusted with a secret. In the context of SGX, enclaves are isolated execution units, with encrypted code and data. At first, enclaves have no secret, since they can be disassembled and viewed like any other normal program. After their launch, the enclaves need to be provisioned, to retrieve the secret data. The following is on overview of SGX. Figure 1 provides a diagram of the procedure and lifecycle of an SGX enclave as described above.
Step 1 (Launch): the untrusted application loads the enclave code and instantiates it. During this process the enclave’s measurement is created which is later used for verification.
Step 2 (Attestation): the enclave contacts the service provider for provisioning and retrieving the secrets. The enclave presents its measurement.
Step 3 (Provisioning): after verifying the attestation provided by the enclave in step 2, the service provider sends the secure data to the enclave through a secure channel.
Step 4 (Sealing/Unsealing): to allow an enclave to access the secret material in a secure and confidential way, the data can be sealed (encrypted) and stored on persistent storage.
A set of 18 new instructions, and 6 new data structures were introduced to support the operations of SGX. For example, instructions to build and destroy enclaves, enter to and exit from enclaves, and data structures to hold the enclave’s data and meta-data
Since the trusted computing base (TCB) the TCB is small in the SGX, some applications include Digital Rights Management (DRM) and trusted code execution on untrusted platforms. Bundled with technologies such as Intel’s Protected Audio Video Path (PAVP) and High-bandwidth Digital Content Protection (HDCP), SGX can realized DRM functionalities.
For more info please have a look at our Virus Bulletin (VB) 2016 paper: “Trusted Code Execution on Untrusted Platform Using Intel SGX”