Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1518 Discussions

Can SGX enclaves run at ring 0?

Mazhar_N_
Beginner
‎08-18-2016 06:07 AM
1,686 Views
Solved Jump to solution

Is it possible to run SGX enclaves at ring 0?

OR

Can we run SGX enclaves using sudo with root privileges?

I gather that SGX enclaves run at ring 3. Suppose I want to run a program inside SGX enclave which will want to access kernel data structures. Is there any way I could achieve this?

0 Kudos
1 Solution
Surenthar_S_Intel
Employee
‎08-19-2016 03:02 AM
1,686 Views
Solved Jump to solution

Hi Mazhar,

SGX Enclaves currently only allow for Ring 3 code execution. Intel SGX enclave runs in ring 3 only, no kernel mode. 
Intel SGX objective is secure the application in ring 3 itself. Applications are not protected from privileged code attacks. Intel® SGX provides a safe place for code and data in the application.

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
Surenthar_S_Intel
Employee
‎08-19-2016 03:02 AM
1,687 Views
Solved Jump to solution

Hi Mazhar,

SGX Enclaves currently only allow for Ring 3 code execution. Intel SGX enclave runs in ring 3 only, no kernel mode. 
Intel SGX objective is secure the application in ring 3 itself. Applications are not protected from privileged code attacks. Intel® SGX provides a safe place for code and data in the application.

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
Copy link
Mazhar_N_
Beginner
‎08-27-2016 02:37 AM
1,686 Views
Solved Jump to solution

Surenthar Selvaraj. (Intel) wrote:

Hi Mazhar,

SGX Enclaves currently only allow for Ring 3 code execution. Intel SGX enclave runs in ring 3 only, no kernel mode. 
Intel SGX objective is secure the application in ring 3 itself. Applications are not protected from privileged code attacks. Intel® SGX provides a safe place for code and data in the application.

Thanks and Regards,
Surenthar Selvaraj

So that means we cannot run a kernel module inside SGX enclaves, right?

0 Kudos
Copy link
Surenthar_S_Intel
Employee
‎09-01-2016 09:07 PM
1,684 Views
Solved Jump to solution

Hi Mazhar,

Yes, We cannot run a kernel module inside SGX enclaves.

-Surenthar.

0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.