Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.

Memory Encryption in debug enclaves


The Linux SDK manual says (in documenting the function sgx_create_enclave ):

debug [in]

The valid value is 0 or 1.

0 indicates to create the enclave in non-debug mode. An enclave created in non-debug mode cannot be debugged.

1 indicates to create the enclave in debug mode. The code/data memory inside an enclave created in debug mode is accessible by the debugger or other software outside of the enclave and thus is not under the same memory access protections as an enclave created in non-debug mode.


Does that mean that debug enclaves do not make use of the MEE (memory encryption engine)?
I noticed that if I try to access Enclave memory form the un-trusted code I get abort-page behavior, i.e., I get 0xFFFFFFFF. I assume that means the memory is inside the EPC (Enclave page cache). Is that correct?

Is the entire EPC encrypted, or just non-debug enclaves?


0 Kudos
1 Reply


There is only one key in the MEE and it is used for all memory locations whether it is used for a debug or production enclave.

This is because the MEE does not as a first level defence prevent access to memory from SW. There are other changes to the hardware that make access control checks when a memory access occurs. It is these access control checks which are disabled when the debug bit is set and the EDBGRD/EDBGWR instructions are used.