As I know, a SGX enclave memory will be encrypted until it is loaded into CPU.
The memory will be decrypted by memory controller, it means that the secret message will be loaded into CPU cache as a plaintext, right?
If a malicious software or malicious enclave try to flush or desctroy the whole cache line, How does SGX protect the secret in the cache?
Is there any document introduce the details about SGX instruction behavior inside CPU?
Section 5 of our whitepaper explains the process for building an enclave. Whilst a Ring0 component executes the instructions, the HW architecture is responsible for the security of the enclave. The measurement created by the HW during this process is inaccessible to the Ring0 component.
At the end of the build process you have an enclave with a measurement and it then uses the attestation process to allow a verifier to determine that the enclave was built as it required and then to deploy a secret to the enclave.
Keys used to keep the secret local are also bound to the measurement of the enclave.