Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1452 Discussions

Question about Enclave paging encryption Key (CR_BASE_PK)

SONGSONG_L_
Beginner
‎05-25-2018 08:18 AM
295 Views

Dear,

In the Intel software developer's manual (SDM), I found that evicted pages would be encrypted via AES-GCM with the key CR_BASE_PK. Here is the pseudo-code from SDM:

(* Encrypt the page, DS:RCX could be encrypted in place. AES-GCM produces 2 values, {ciphertext, MAC}. *)
(* AES-GCM input parameters: key, GCM Counter, MAC_HDR, MAC_HDR_SIZE, SRC, SRC_SIZE) *)
{DS:TMP_SRCPGE, DS:TMP_PCMD.MAC} <- AES_GCM_ENC(CR_BASE_PK, (TMP_VER << 32), TMP_HEADER, 128, DS:RCX, 4096);

And the SDM also indicates that the key CR_BASE_PK is an internal CREG.

In the SGX patent (https://patents.google.com/patent/US20120159184A1/en), I found the evicted pages is encrypted by CMA (old name of MEE). Quote from patent:

"When enclave pages residing in the EPC is evicted from the cache to the main memory outside the CPU package, it is protected by CMA (Crypto Memory Aperture) encryption. The CMA will encrypt the data to provide data confidentiality. The integrity of the EPC is provided by range registers that prevent reads and writes to the EPC."

So my question is whether the encryption key CR_BASE_PK is generated and used by MEE. If not, is it hard-coded inside CPU? Is it related to enclave key generation? Do all enclaves share the same key for paging encryption?

 

0 Kudos

Link Copied

0 Replies
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.