I think the first sentence is clear. Data in EPC is encrypted and integrity protected so even a cold boot attack won't be able to retrieve enclave data.

The CPU decrypts and integrity checks EPC memory when the enclave reads from memory before it's stored in the processor cache. Similarly, data is encrypted inside the CPU when the enclave writes to EPC memory. The metadata that is used to verify the integrity of the data is itself also integrity protected. The integrity information is stored in a tree, the root of which is stored in SRAM, inside the processor.

You may read the article "A Memory Encryption Engine Suitable for General Purpose Processors" that explains how to Integrity Tree is maintained.

Does this answer your question?

Thank you for the information, Juan.
It is clear for me that EPC page is encrypted, however, I still don't understand explanation about encryption during page swapping.

https://software.intel.com/en-us/articles/innovative-instructions-and-software-model-for-isolated-execution

Section 7.2. (Evicting the enclave page) in this article explains that EWB instruction encrypts the EPC page using the paging encryption key.
Does it mean EWB encrypts an encrypted EPC page again?

If yes, why SGX should encrypt data twice?

If no, why page swapping is so burden? The paper [SCONE: Secure Linux Container] illustrates that when allocated EPC size is over than 92MB, so page swapping is necessary, memory access overhead is 1000x times higher than just accessing within L3 cache. It is even 100x times slower than memory access with L3 cache miss.
If encryption is only done between L3 cache and memory, This high overhead due to page swapping cannot be explained, I think. Then which job during page swapping makes it so slow?

Thank you!

From the CPU standpoint, data in EPC is unencrypted, because the MEE sits transparently between the CPU and the PRM. In other words, the data in EPC is encrypted because it's outside the CPU package. However, it doesn't need to be this way. For instance, a CPU with special on-chip memory wouldn't need the MEE and the EPC memory wouldn't have to be encrypted.

When a page is evicted it's a different story. The page is placed outside EPC, and therefore it must be encrypted, and integrity and replay protected. This is what the EWB does and what makes this operation expensive, compared to normal memory page swaps. Going back to the example of the EPC located in some special on-chip memory. In this case EWB would still have to encrypt & protect the page before it's evicted.

In summary, encrypting EPC memory is an implementation artifact, the result of having the EPC in DRAM that requires MEE. EWB encrypting the page before eviction is architectural.

I hope this answer your question.

Juan D. (Intel) wrote:

From the CPU standpoint, data in EPC is unencrypted, because the MEE sits transparently between the CPU and the PRM. In other words, the data in EPC is encrypted because it's outside the CPU package. However, it doesn't need to be this way. For instance, a CPU with special on-chip memory wouldn't need the MEE and the EPC memory wouldn't have to be encrypted.

When a page is evicted it's a different story. The page is placed outside EPC, and therefore it must be encrypted, and integrity and replay protected. This is what the EWB does and what makes this operation expensive, compared to normal memory page swaps. Going back to the example of the EPC located in some special on-chip memory. In this case EWB would still have to encrypt & protect the page before it's evicted.

In summary, encrypting EPC memory is an implementation artifact, the result of having the EPC in DRAM that requires MEE. EWB encrypting the page before eviction is architectural.

I hope this answer your question.

Thank you for the explanation, but I'm afraid it is still not clear the difference between encryption by MEE and encryption due to EWB instruction.

The reason I think the encryption during eviction is "additional" is that, if EWB selects an EPC page to be evicted, my thought is that it must be the least recently accessed one (according to LRU policy), which means that it is highly possible that this EPC page is already outside the CPU package, as encrypted. Then encrypting an encrypted EPC is an additional operation. Am I wrong?

To make my question clear, let me define three categories that an EPC page can be in: inside the CPU package (i.e. on-chip memory or cache), in the EPC region (protected), outside the EPC region (unprotected).
1. MEE performs encryption of an EPC page when an EPC page goes from cache (inside the CPU package) to the EPC region (protected), because of small capacity of L3 cache.
2. EWB performs eviction of an EPC page from the EPG region (protected) to outside the EPC region (unprotected), because of small capacity of EPC.

I understand operation number 1. But documentations say that SGX ALSO encrypts the EPC page during the operation number 2.
Is there anything that I misknow?

Thank you again for the comment!

As a requirement, the CPU must encrypt and integrity and replay protect the contents of an EPC page before it is evicted (EWB).

However, the CPU doesn't see the EPC page as encrypted. From the CPU standpoint, EPC memory is not encrypted. The MEE (implementation detail) sits between the CPU and DRAM and encrypts/decrypts memory content.

EPC is part of the PRM  so there is no mechanism to simply transfer the EPC page out.

Juan D. (Intel) wrote:

As a requirement, the CPU must encrypt and integrity and replay protect the contents of an EPC page before it is evicted (EWB).

However, the CPU doesn't see the EPC page as encrypted. From the CPU standpoint, EPC memory is not encrypted. The MEE (implementation detail) sits between the CPU and DRAM and encrypts/decrypts memory content.

EPC is part of the PRM  so there is no mechanism to simply transfer the EPC page out.

Thank you again for the explanation. So the key point was "the CPU standpoint". CPU sees that EPC memory is not encrypted because MEE transparently encrypts/decrypts the EPC memory. If EWB is executed, CPU explicitly orders encryption for the EPC page, while the EPC page is already encrypted and resides in EPC. (again, from the CPU standpoint, it is not encrypted, but actually encrypted from outside CPU package). Then when EPC page is swapped out to the unprotected memory region, it should mean the EPC page is encrypted twice (transparently by MEE, explicitly by EWB).

And if this evicted EPC page is swapped in the EPC, a CPU instruction ELDB or ELDU checks its integrity and decrypts it. After the instruction call, "from the CPU standpoint", it is unencrypted. But still from the view of the ouside CPU package, it is encrypted, as it is still outside the CPU package. And it will become plaintext through transparent decryption by MEE if it is accessed and copied into L3 cache.

Hence, from the view of the world outside, not the view of CPU, encryption and decryption are done in both borders: between cache and EPC, and between EPC and untrusted memory.

Am I correct?

Thanks!

Insu J. wrote:

Quote:

Juan D. (Intel) wrote:

 

As a requirement, the CPU must encrypt and integrity and replay protect the contents of an EPC page before it is evicted (EWB).

However, the CPU doesn't see the EPC page as encrypted. From the CPU standpoint, EPC memory is not encrypted. The MEE (implementation detail) sits between the CPU and DRAM and encrypts/decrypts memory content.

EPC is part of the PRM  so there is no mechanism to simply transfer the EPC page out.

 

 

Thank you again for the explanation. So the key point was "the CPU standpoint". CPU sees that EPC memory is not encrypted because MEE transparently encrypts/decrypts the EPC memory. If EWB is executed, CPU explicitly orders encryption for the EPC page, while the EPC page is already encrypted and resides in EPC. (again, from the CPU standpoint, it is not encrypted, but actually encrypted from outside CPU package). Then when EPC page is swapped out to the unprotected memory region, it should mean the EPC page is encrypted twice (transparently by MEE, explicitly by EWB).

And if this evicted EPC page is swapped in the EPC, a CPU instruction ELDB or ELDU checks its integrity and decrypts it. After the instruction call, "from the CPU standpoint", it is unencrypted. But still from the view of the ouside CPU package, it is encrypted, as it is still outside the CPU package. And it will become plaintext through transparent decryption by MEE if it is accessed and copied into L3 cache.

Hence, from the view of the world outside, not the view of CPU, encryption and decryption are done in both borders: between cache and EPC, and between EPC and untrusted memory.

Am I correct?

Thanks!

Hi, Insu J.  

I also have this question. I have read all your comments and i think that is reasonable, but there are no replays about this question, so have you got the right answer?

Is the PRM memory encrypyed with the same key.

or is the PRM memory region for each enclave encrypted with a different key?