Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Guarantee code consistency and integrality using SGX


Hi, I am currently working on a project to build a distributed system. I am trying to understand some details about how SGX works.

Here is my scenario:

1. I upload all my code to GitHub and release it, so that everyone can download my release file or build locally to be a node in the system.

2. The whole system consistence of several nodes as long as they claim they want to join.

My question:

1. Can SGX use any attestation, technology to guarantee the code on the peer node are the same as I provided on GitHub?

2. I also want to make sure SGX can avoid enclave changing attack. If a malicious node init an enclave1,  pass the validation and do some data sealing, but replace it use another enclave2 later. Is that means the data sealing part on disk encrypted by enclave1 will never be decrypt by enclave2, so the data is safe? 

3. Currently I use intel platinum 8163 to do the test on alibaba cloud. Is it OK for SGX, any limitation on it?




0 Kudos
1 Reply

Hello Terrance,

  1. Intel SGX does have a remote attestation capability that guarantees the integrity of the enclave on the client platforms. Start reading the documentation on this page for more information. Be sure to also see this end-to-end example.
  2. Yes, this is exactly what remote attestation allows you to do.
  3. There are two components that the ISV controls in SGX remote attestation: 1) the client, which contains the enclave that is being attested, and 2) the service provider, which is doing the attesting. The client must have SGX support but the service provider platform does not need SGX support. The Intel® Xeon® Platinum 8168 Processor does not have Intel SGX technology. To see a full list of Intel Xeon processors that have Intel SGX, please visit this page.


0 Kudos