Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1458 Discussions

How does a hypervisor work with SGX?

Insu_J_
Beginner
‎01-17-2017 06:15 AM
744 Views

Hello,

I'm studying how SGX works in virtual machines. I'm using KVM-sgx and QEMU-sgx to make a virtual machine that can run SGX applications.

if an SGX app starts to run in the VM, how the hypervisor maps EPC pages that the VM uses to actual EPC pages?

I know all EPC pages are statically allocated and mapped to VM when it is created (https://github.com/01org/kvm-sgx/wiki), but allocating EPC pages to some process is done when an enclave is created in real SGX application world. That means creating a VM is actually creating an SGX enclave, however, it must be false because enclave only runs in user space, while kvm is in kernel space.

Then it should mean that the modified SGX driver included in kvm-sgx has functionality of EPC allocation. I see three commits (6b4962a, b9137fa, and 0e34cb7) regarding to support this functionality. Is it right that these functions are added to allocate EPC pages for virtualization support?

Also, how address translation between guest virtual address and guest physical address is protected by SGX? In a native machine, address translation between virtual address and physical address for EPC pages is protected by TLB miss handler, but there is no information about SGX address translation protection in virtualized environment.

Thanks in advance!

0 Kudos

Link Copied

0 Replies
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.