Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Memory Encryption in debug enclaves

Ofir_W_
Beginner
‎10-18-2016 07:23 AM
765 Views

The Linux SDK manual says (in documenting the function sgx_create_enclave ):
"""

debug [in]

The valid value is 0 or 1.

0 indicates to create the enclave in non-debug mode. An enclave created in non-debug mode cannot be debugged.

1 indicates to create the enclave in debug mode. The code/data memory inside an enclave created in debug mode is accessible by the debugger or other software outside of the enclave and thus is not under the same memory access protections as an enclave created in non-debug mode.

"""

Does that mean that debug enclaves do not make use of the MEE (memory encryption engine)?
I noticed that if I try to access Enclave memory form the un-trusted code I get abort-page behavior, i.e., I get 0xFFFFFFFF. I assume that means the memory is inside the EPC (Enclave page cache). Is that correct?

Is the entire EPC encrypted, or just non-debug enclaves?

Ofir

0 Kudos

Link Copied

1 Reply
Surenthar_S_Intel
Employee
‎10-19-2016 10:58 PM
765 Views

Hi,

There is only one key in the MEE and it is used for all memory locations whether it is used for a debug or production enclave.

This is because the MEE does not as a first level defence prevent access to memory from SW. There are other changes to the hardware that make access control checks when a memory access occurs. It is these access control checks which are disabled when the debug bit is set and the EDBGRD/EDBGWR instructions are used.

-Surenthar

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.