Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question on possible attacks against SGX

slava
Beginner
1,159 Views

I've exhausted my resources, and have asked about this everywhere and didn't get a satisfatory answer , so I came here, to the source, hopefully I'll be able to understand the following points now.

 

Alright so first of all, I'll briefly describe SGX as I UNDERSTAND IT, so if I got it wrong, please explain.

The basic idea of SGX is to provide a secure way to execute code REMOTLY right? I mean the server contains the RSA private key which is used to decrypt and execute the code sent by the user which encrypted it with the public key.

With that in mind a have the following questions:

 

 

  1. Who generates the key pair, and who is it send to the other party?
  2. The intel manual describes that code running inside an enclave CAN receive a SMI interrupt, so would the SMM code be able to look at the enclave? Even if its encryptped the key is in memory right?Like, it won't encrypt this key without another key. It's only a matter of finding it, am I right?
  3. Where can I find out about the key management that SGX employs? Or rather, how exatcly (if at all) is the key protect during an event like a SMI interrupt
  4. Is there ANY benefit in using SGX locally?
  5. The EPC (Enclave Page Cache) is it literally on the CPU cache or it's on the RAM?
  6. What is the point of keeping a hash of the EPC inside SGX Enclave Control Structure (SECS) if the code can change? Like, suppose a variable increases or whatever, that would change the hash right at run time
0 Kudos
1 Solution
JesusG_Intel
Moderator
1,138 Views

Hello Slava,

 

You ask a lot of good questions. While I can answer some questions in a few short sentences, others will require more reading on your part because the answers are complex. I will provide links to the relevant documents.

 

SGX is not a mechanism to run software remotely. SGX enclaves run locally, and can communicate directly only with an application that runs locally. If an SGX enclave needs to communicate with remote software, the remote software interfaces with the local app, and the local app interfaces with the enclave.

 

There is a way to for SGX to load and run encrypted [at rest] code using the "Intel SGX Protected Code Loader." Please see the section, Enabling Enclave Code Confidentiality , in the Intel SGX Developer Reference Guide for Windows or Linux.

 

SMI interrupts do not allow the SMM code to look inside the enclave. Like any other interrupt, the SMI causes an Asynchronous Enclave Exit (AEX). During an AEX, execution of the enclave stops, the processor state is saved securely in the enclave, the event that causes the AEX is processed normally, then execution returns to the enclave. Please read chapters 38.2.2 and 38.2.3 in the Intel Software Development Manual, Volume 3D.

 

You will find much more information on key management and protections in the paper SGX Explained (I highly recommend reading this paper) and the Intel SGX Developer Guide, chapter Enclave Signature Structure.

 

The EPC is in DRAM, although it is named "Cache."

 

The hash of the enclave in the EPC is a hash of the source code itself. It does not take into account enclave data memory, which changes at runtime. The source code does not change at runtime.


View solution in original post

0 Kudos
3 Replies
JesusG_Intel
Moderator
1,139 Views

Hello Slava,

 

You ask a lot of good questions. While I can answer some questions in a few short sentences, others will require more reading on your part because the answers are complex. I will provide links to the relevant documents.

 

SGX is not a mechanism to run software remotely. SGX enclaves run locally, and can communicate directly only with an application that runs locally. If an SGX enclave needs to communicate with remote software, the remote software interfaces with the local app, and the local app interfaces with the enclave.

 

There is a way to for SGX to load and run encrypted [at rest] code using the "Intel SGX Protected Code Loader." Please see the section, Enabling Enclave Code Confidentiality , in the Intel SGX Developer Reference Guide for Windows or Linux.

 

SMI interrupts do not allow the SMM code to look inside the enclave. Like any other interrupt, the SMI causes an Asynchronous Enclave Exit (AEX). During an AEX, execution of the enclave stops, the processor state is saved securely in the enclave, the event that causes the AEX is processed normally, then execution returns to the enclave. Please read chapters 38.2.2 and 38.2.3 in the Intel Software Development Manual, Volume 3D.

 

You will find much more information on key management and protections in the paper SGX Explained (I highly recommend reading this paper) and the Intel SGX Developer Guide, chapter Enclave Signature Structure.

 

The EPC is in DRAM, although it is named "Cache."

 

The hash of the enclave in the EPC is a hash of the source code itself. It does not take into account enclave data memory, which changes at runtime. The source code does not change at runtime.


0 Kudos
JesusG_Intel
Moderator
1,116 Views

Hello Slava,


Have all your questions been answered satisfactorily?


0 Kudos
JesusG_Intel
Moderator
1,109 Views

Intel is no longer monitoring this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply