- Intel® SGX Registration Service for Multi-package Platforms The API exposed by the Intel® SGX registration service allows to register an Intel (R) SGX platform with multiple processor packages as a single platform instance which can be later on remotely attested as a single entity.
- This download installs the Intel® Trusted Execution Engine driver and firmware. Driver: Windows 10, 32-bit. Windows 10, 64-bit. Windows 8.1, 64-bit. 2.0.5.3117 Latest: 5/28/2019: Intel® Software Guard Extensions (Intel® SGX) for Intel® Compute Stick.
Intel® Core™ i9-10850K Processor (20M Cache, up to 5.20 GHz) quick reference with specifications, features, and technologies. (Intel® SGX) Yes with Intel® ME.
Graphene project uses SGX to securely run software. SGX isa complicated topic, which may be hard to learn, because the documentationis scattered through official/reference documentation, blogposts and academicpapers. This page is an attempt to curate a dossier of available readingmaterial.
SGX is an umbrella name of technology that comprises several parts:
- CPU/platform hardware features: the new instruction set, newmicroarchitecture with the PRM (EPC) memory region and somenew MSRs and some new logic in the MMU and so on;
- the SGX Remote Attestationinfrastructure, online services providedby Intel and/or third parties (see DCAP);
- SDK and assorted software.
SGX is still being developed. The current (March 2020) version of CPU featuresis referred to as “SGX1” or simply “SGX” and is more or less finalized. Allnew/changed instructions from original SGX are informally referred to as“SGX2”.
Features which might be considered part of SGX2:
- EDMM (Enclave Dynamic Memory Management) is part of SGX2
- FLC (Flexible Launch Control), not strictly part of SGX2, but was notpart of original SGX hardware either
As of now there is hardware support (on a limited set of CPUs) for FLC and(on an even more limited set of CPUs) SGX2/EDMM. Most of the literatureavailable (especially introduction-level) concerns original SGX1 only.
Introductory reading¶
- Quarkslab’s two-part “Overview of Intel SGX”:
- MIT’s deep dive in SGX architecture.
- Intel’s whitepapers:
- Slides from ISCA 2015(actual slides [PDF])
Official Documentation¶
- SDK for Linux(download of both the binaries and the documentation)
Academic Research¶
- Intel’s collection of academic papers,likely the most comprehensive list of references
Installation Instructions¶
Linux kernel drivers¶
For historical reasons, there are three SGX drivers currently (January 2021):
https://github.com/intel/linux-sgx-driver – old one, does not support DCAP,deprecated
https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/driver– new one, out-of-tree, supports both non-DCAP software infrastructure (withold EPID remote-attestation technique) and the new DCAP (with new ECDSA andmore “normal” PKI infrastructure).
SGX support was upstreamed to the Linux mainline starting from 5.11.It currently supports only DCAP attestation. The driver is accessible through/dev/sgx_enclave and /dev/sgx_provision.
The following udev rules are recommended for users to access the SGX node:
Also it will not require IAS and kernel maintainers considernon-writable FLC MSRs as non-functional SGX:https://lore.kernel.org/lkml/20191223094614.GB16710@zn.tnic/
The chronicle of kernel patchset:
- v1 (2016-04-25)
- https://lore.kernel.org/lkml/1461605698-12385-1-git-send-email-jarkko.sakkinen@linux.intel.com/
- v2
- ?
- v3
- ?
- v4 (2017-10-16)
- https://lore.kernel.org/lkml/20171016191855.16964-1-jarkko.sakkinen@linux.intel.com/
- v5 (2017-11-13)
- https://lore.kernel.org/lkml/20171113194528.28557-1-jarkko.sakkinen@linux.intel.com/
- v6 (2017-11-25)
- https://lore.kernel.org/lkml/20171125193132.24321-1-jarkko.sakkinen@linux.intel.com/
- v7 (2017-12-07)
- https://lore.kernel.org/lkml/20171207015614.7914-1-jarkko.sakkinen@linux.intel.com/
- v8 (2017-12-15)
- https://lore.kernel.org/lkml/20171215202936.28226-1-jarkko.sakkinen@linux.intel.com/
- v9 (2017-12-16)
- https://lore.kernel.org/lkml/20171216162200.20243-1-jarkko.sakkinen@linux.intel.com/
- v10 (2017-12-24)
- https://lore.kernel.org/lkml/20171224195854.2291-1-jarkko.sakkinen@linux.intel.com/
- v11 (2018-06-08)
- https://lore.kernel.org/lkml/20180608171216.26521-1-jarkko.sakkinen@linux.intel.com/
- v12 (2018-07-03)
- https://lore.kernel.org/lkml/20180703182118.15024-1-jarkko.sakkinen@linux.intel.com/
- v13 (2018-08-27)
- https://lore.kernel.org/lkml/20180827185507.17087-1-jarkko.sakkinen@linux.intel.com/
- v14 (2018-09-25)
- https://lore.kernel.org/lkml/20180925130845.9962-1-jarkko.sakkinen@linux.intel.com/
- v15 (2018-11-03)
- https://lore.kernel.org/lkml/20181102231320.29164-1-jarkko.sakkinen@linux.intel.com/
- v16 (2018-11-06)
- https://lore.kernel.org/lkml/20181106134758.10572-1-jarkko.sakkinen@linux.intel.com/
- v17 (2018-11-16)
- https://lore.kernel.org/lkml/20181116010412.23967-2-jarkko.sakkinen@linux.intel.com/
- v18 (2018-12-22)
- https://lore.kernel.org/linux-sgx/20181221231134.6011-1-jarkko.sakkinen@linux.intel.com/
- v19 (2019-03-20)
- https://lore.kernel.org/lkml/20190320162119.4469-1-jarkko.sakkinen@linux.intel.com/
- v20 (2019-04-17)
- https://lore.kernel.org/lkml/20190417103938.7762-1-jarkko.sakkinen@linux.intel.com/
- v21 (2019-07-13)
- https://lore.kernel.org/lkml/20190713170804.2340-1-jarkko.sakkinen@linux.intel.com/
- v22 (2019-09-03)
- https://lore.kernel.org/lkml/20190903142655.21943-1-jarkko.sakkinen@linux.intel.com/
- v23 (2019-10-28)
- https://lore.kernel.org/lkml/20191028210324.12475-1-jarkko.sakkinen@linux.intel.com/
- v24 (2019-11-30)
- https://lore.kernel.org/lkml/20191129231326.18076-1-jarkko.sakkinen@linux.intel.com/
- v25 (2020-02-04)
- https://lore.kernel.org/lkml/20200204060545.31729-1-jarkko.sakkinen@linux.intel.com/
- v26 (2020-02-09)
- https://lore.kernel.org/lkml/20200209212609.7928-1-jarkko.sakkinen@linux.intel.com/
- v27 (2020-02-23)
- https://lore.kernel.org/lkml/20200223172559.6912-1-jarkko.sakkinen@linux.intel.com/
- v28 (2020-04-04)
- https://lore.kernel.org/lkml/20200303233609.713348-1-jarkko.sakkinen@linux.intel.com/
- v29 (2020-04-22)
- https://lore.kernel.org/lkml/20200421215316.56503-1-jarkko.sakkinen@linux.intel.com/
- v30 (2020-05-15)
- https://lore.kernel.org/lkml/20200515004410.723949-1-jarkko.sakkinen@linux.intel.com/
SGX terminology¶
Architectural Enclaves (AEs) are a set of “system” enclaves concernedwith starting and attesting other enclaves. Intel provides referenceimplementations of these enclaves, though other companies may write theirown implementations.
See also
Todo
TBD
Attestation is a mechanism to prove the trustworthiness of the SGX enclaveto a local or remote party. More specifically, SGX attestation proves thatthe enclave runs on a real hardware in an up-to-date TEE with the expectedinitial state. There are two types of the attestation:Local Attestation and Remote Attestation. For localattestation, the attesting SGX enclave collects attestation evidence inthe form of an SGX Report using the EREPORT hardware instruction.For remote attestation, the attesting SGX enclave collects attestationevidence in the form of an SGX Quote using the QuotingEnclave (and the Provisioning Enclave if required). The enclavethen may send the collected attestation evidence to the local or remoteparty, which will verify the evidence and confirm the correctness of theattesting enclave. After this, the local or remote party trusts theenclave and may establish a secure channel with the enclave and sendsecrets to it.
See also
A software infrastructure provided by Intel as a referenceimplementation for the new ECDSA/PCS-based remote attestation.Relies on the Flexible Launch Control hardware feature. Inprinciple this is a special version of SDK/PSW thathas a reference launch enclave and is backed by the DCAP-enabled SGXdriver.
This allows for launching enclaves without Intel’s remote infrastructure.But this requires deployment of own infrastructure, so is operationallymore complicated. Therefore it is intended for server environments (whereyou control all the machines).
See also
- Orientation Guide
- https://download.01.org/intel-sgx/dcap-1.0.1/docs/Intel_SGX_DCAP_ECDSA_Orientation.pdf
- EPID
- A way to launch enclaves with Intel’s infrastructure, intendedfor client machines.
Todo
TBD
Todo
short description
Contrary to DCAP, EPID may be understood as “opinionated”, with mostmoving parts fixed and tied to services provided by Intel. This isintended for client enclaves and deprecated for server environments.
Intel Sgx Psw Runtime
See also
- DCAP
- A way to launch enclaves without relying on the Intel’sinfrastructure.
Hardware (CPU) feature that allows substituting Launch Enclave forone not signed by Intel. A change in SGX’s EINIT logic to not requirethe EINITTOKEN from the Intel-based Launch Enclave. An MSR, which canbe locked at boot time, keeps the hash of the public key of the“launching” entity.
With FLC, Launch Enclave can be written by other companies (otherthan Intel) and must be signed with the key corresponding to the onelocked in the MSR (a reference Launch Enclave simply allows allenclaves to run). The MSR can also stay unlocked and then it can bemodified at run-time by the VMM or the OS kernel.
See also
Intel Sgx Explained
- https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation
- Announcement
See also
In local attestation, the attesting SGX enclave collects attestationevidence in the form of an SGX Report using the EREPORT hardwareinstruction. This form of attestation is used to send the attestationevidence to a local party (on the same physical machine).
Internet service provided by Intel for “old” EPID-based remoteattestation. Enclaves send SGX quotes to the client/verifier who willforward them to IAS to check their validity.
See also
- PCS
- Provisioning Certification Service, another Internet serviceprovided by Intel.
Todo
TBD
One of the Architectural Enclaves of the Intel SGX softwareinfrastructure. It is part of the SGX Platform Software. TheProvisioning Enclave is used in EPID based remote attestation.This enclave communicates with the Intel Provisioning Service(IPS) to perform EPID provisioning. The result of thisprovisioning procedure is the private EPID key securely accessed by theProvisioning Enclave. This procedure happens only during the firstdeployment of the SGX machine (or, in rare cases, to provision a new EPIDkey after TCB upgrade). The main user of the Provisioning Enclave is theQuoting Enclave.
See also
One of the Architectural Enclaves of the Intel SGX softwareinfrastructure. It is part of the SGX Platform Software andDCAP. The Provisioning Certification Enclave is used inDCAP based remote attestation. This enclave communicates with theIntel Provisioning Certification Service (PCS) to perform DCAPprovisioning. The result of this provisioning procedure is the DCAP/ECDSAattestation collateral (mainly the X.509 certificate chains rooted in awell-known Intel certificate and Certificate Revocation Lists). Thisprocedure happens during the first deployment of the SGX machine and thenperiodically to refresh the cached attestation collateral. Typically, toreduce the dependency on PCS, a cloud service provider introduces anintermediate caching service (Provisioning Certification Caching Service,or PCCS) that stores all the attestation collateral obtained from Intel.The main user of the Provisioning Certification Enclave is theQuoting Enclave.
New internet service provided by Intel for new ECDSA-based remoteattestation. Enclave provider creates its own internal Attestation Servicewhere it caches PKI collateral from Intel’s PCS, and the verifier gets thecertificate chain from the enclave provider to check validity.
See also
- IAS
- Intel Attestation Service, another Internet service.
One of the Architectural Enclaves of the Intel SGX softwareinfrastructure. It is part of the SGX Platform Software. TheQuoting Enclave receives an SGX Report and produces acorresponding SGX Quote. The identity of the Quoting Enclave ispublicly known (it signer, its measurement and its attributes) and isvetted by public companies such as Intel (in the form of the certificatechain ending in a publicly known root certificate of the company).
Intel Sgx Download
In remote attestation, the attesting SGX enclave collects attestationevidence in the form of an SGX Quote using the QuotingEnclave (and the Provisioning Enclave if required). This form ofattestation is used to send the attestation evidence to a remote party(not on the same physical machine).
See also
.sofiles to be accessible like normal libraries (at least on Linux).Available together with a kernel module and documentation.EREPORT hardware instruction. It is used duringLocal Attestation. The SGX report is embedded into theSGX Quote.This refers to all new SGX instructions and other hardware features thatwere introduced after the release of the original SGX1.
Encompasses at least EDMM, but is still work in progress.
Todo
TBD
In context of SGX this has the usual meaning: the set of allcomponents that are critical to security. Any vulnerability in TCBcompromises security. Any problem outside TCB is not a vulnerability,i.e. should not compromise security.
In context of Graphene there is also a different meaning(Thread Control Block). Those two should not be confused.
Todo
TBD