Intel® Software Guard Extensions (Intel® SGX)
Use hardware-based isolation and memory encryption to provide more code protection in your solutions.
1266 Discussions

Question about the Heaven Paper: How does the shield loads OS inside Enclave

Dvorak_d_
Beginner
179 Views

Hi, I have a question about the Heaven Paper: https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-baumann.pdf

If I understood correctly, the process is:
1. Application developer packages everything into an image, and encrypt with a password,  then send the encrypted image to the cloud provider;
2. cloud provider first creates an Enclave, and load it with a "Shield";
3. the "Shield" does the "remote attestation", once all clear, it receives the password that can decrypt the Image. 
4. It basically "boots" the OS/App inside the image. 
5; application runs securely

I'm confused with step 4. Quoting the original text "
The Assuming it was loaded correctly, the shield may now decrypt the VHD key using its private key, and use it to access the contents of the VHD, allowing it to continue to load the LibOS and application."

Just wondering, if code inside the image is encrypted when the enclave is created, how does the enclave make the code "executable" after decryption? This is like asking my C program to execute machine code inside my HEAP, which is mostly forbidden by OS. Is this kind of operation allowed inside the Enclave? (i.e. trusted enclave code can read some blobs from untrusted memory, decrypt it, and place it inside trusted area as CODE instead of DATA, then execute the code?)

Thanks a lot!

-Dvorak

 

0 Kudos
1 Solution
Surenthar_S_Intel
179 Views

We suggest that you direct your question to the authors of the paper.  Thank you for your interest in Intel(r) SGX

-Surenthar.

View solution in original post

1 Reply
Surenthar_S_Intel
180 Views

We suggest that you direct your question to the authors of the paper.  Thank you for your interest in Intel(r) SGX

-Surenthar.

Reply