Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1428 Discussions

High level explanation about SGX

mor_m_
Beginner
‎09-17-2016 08:03 AM
313 Views

Hello,

I'm trying to understand this SGX new feature and I have a hard time to understand some core concepts although going through some very long white papers and articles, that goes from very shallow explaining to very deep implementation stuff.

I think I understood this enclave entering and exiting concept,

however I don't understand the high level concept of how is it possible to execute code on local machine and providing all the code and data on the actuall files (so for example: http://ayeks.de/2016/01/Create-and-Execute-an-Intel-SGX-Enclave/)

the enclave_test_save.signed.dll file which is the sgx enclave project and the code and data is suppose to be protected.

How is it logicly possible to provide all the code and the data (i understand they are encrypted) and not providing any key to open those file and still they will be secured?

How this code and data actually being open on a local computer without any 3rd party server to send the needed key to open them?

Does intel have some kind of private key allowing the cpu to open all the the encrypted code & data and so they only the hardware of the cpu to be able to open it?

Is it mean that if someone will get this private key he will be able to open all the encrypted enclaves?

 

I hope you can help me do some order in the mess of learning,

thank you for your help!

Mor.

0 Kudos

Link Copied

1 Reply
Surenthar_S_Intel
Employee
‎09-19-2016 08:23 PM
313 Views

Hi,

The signed dll enclave file, if designed correctly, should not have any secrets provisioned already. We recommend that once the enclave that has only the code that operates on your confidential information, is loaded and verified, only after that secret should be provisioned into it. Once the secrets are provisioned, enclave can seal them locally for later use. Provisioning of secrets can be done using the remote attestation mechanism supported by Intel using a modified sigma protocol. Please refer to this article and code sample for remote attestation - https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example

-Surenthar

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.