![Page 1: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/1.jpg)
Intel SGX
Mengjia YanFall 2020
Based on slides of Intel SGX Tutorial
![Page 2: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/2.jpg)
Recap: Address Translation
6.888 L3 - Intel SGX 2
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Page Table per process
![Page 3: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/3.jpg)
Recap: Address Translation
6.888 L3 - Intel SGX 3
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Page Table per process
System software handles “page fault”
4KB
4KB
![Page 4: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/4.jpg)
Recap: Process Isolation
6.888 L3 - Intel SGX 4
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB
VA
PA
Page Table per processProcess 1
Process 2
4KB
4KB
![Page 5: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/5.jpg)
Page De-duplication and Copy-on-write
6.888 L3 - Intel SGX 5
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB
VA
PA
Page Table per processProcess 1
Process 2
4KB
If two pages have the same content, use page de-duplication to reduce memory footprint.
4KB (CoW)
![Page 6: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/6.jpg)
Page De-duplication and Copy-on-write
6.888 L3 - Intel SGX 6
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB
4KB (CoW)
VA
PA
Page Table per processProcess 1
Process 2
4KB
Upon write access, copy the page and change the mapping.
4KB (copied)
4KB
![Page 7: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/7.jpg)
Recap: Secure Boot
7
• Static root of trust for measurement (SRTM)
Compared to expected values locally or submitted to a remote attestor.
TPM + firmware
Boot Loader
OS kernel
1. Measure(hash)
2. Report (extend)
3. load
PCR: platform configuration register
![Page 8: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/8.jpg)
Software Attestation• Defend against replay attack: Freshness
6.888 L2 - Secure Processors in Industry 8
Processor Chip(w/ BIOS, OS, Apps)
TPM
Verifier
Measurement List + nonceKpri
Kpubsign
nonce
How to know this key belongs to a specific TPM?
![Page 9: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/9.jpg)
Software Attestation• Need public key infrastructure
6.888 L2 - Secure Processors in Industry 9
Processor Chip(w/ BIOS, OS, Apps)
TPM
AIKpri
Verifier
AIKpub
sign
Measurement List + nonce
sign
Chip ManufactoryRKpri RKpub
Root Key
Works as Certificate Agent
Attestation Identity Key
Send AIKpri to TPM using secure communication protocol
![Page 10: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/10.jpg)
Intel TXT, AMD PSP, Google Titan
6.888 L2 - Secure Processors in Industry 10
Intel TXT Dynamic trust of measurement
from https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf
![Page 11: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/11.jpg)
Security Vulnerabilities of Using TPM
• Vulnerable to bus tapping attacks
• TPM Reset attacks• SW reports hash values
• Bugs in the trusted software
6.888 L2 - Secure Processors in Industry 11
TPM + firmware
Boot Loader
OS kernel
1. Measure(hash)
2. Report (extend)
3. load
Han et al. A Bad Dream: Subverting Trusted Platform Module While You Are Sleeping. Usenix Security’18Wojtczuk et al. Attacking Intel TXT® via SINIT code execution hijacking. 2011
Measure
![Page 12: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/12.jpg)
So Far ……
6.888 L2 - Secure Processors in Industry 12
Guest OS
App
Hypervisor
SMM (firmware)
Guest OS
Ring 3
Ring 0Guest OS
App
Guest OS
Trusted
Hardware
Guest OS
App
Host OS
Ring 3
Ring 0
Hardware
SMM
The trend: shrink TCB. Why?
Ring -1
Ring -2
![Page 13: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/13.jpg)
Why Shrink TCB?
• Software bugs• SMM-based rootkits• Xen 150K LOC, 40+ vulnerabilities per year• Monolithic kernel, e.g., Linux, 17M LOC, 100+
vulnerabilities per year
• Remote Computing• Remote computer and software stack owned by an
untrusted party• Examples
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Shrink HW TCB?6.888 L3 - Intel SGX 13
![Page 14: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/14.jpg)
Secure Remote Computing
• Example: Video processing
6.888 L3 - Intel SGX 14
Remote Computermanaged by untrusted infrastructure provider
Software ProviderData Owner
Container runs trusted software
Private data
Private result
![Page 15: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/15.jpg)
Shrink Trusted Computing Base (TCB)
6.888 L2 - Secure Processors in Industry 15
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
AMD SEV
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Intel SGX
enclaveTrusted
Guest OS
App
Guest OS
Ring 3
Ring 0
Hardware
Arm TrustZone
SMM
![Page 16: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/16.jpg)
Arm TrustZone
6.888 L2 - Secure Processors in Industry 16
from Hua et al. vTZ: Virtualizing ARM TrustZone. Usenix’17
Recommend not to have secret data in DRAM.
But just recommendation.
Cache is dynamically partitioned by tagging each cache line with a security bit.
![Page 17: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/17.jpg)
Privileged Software Attacks
• Manipulate everything
• Directly see and modify application code and dataà Need to encrypt secret data à Need to verify integrity (software attestation)
• Mess up with• Address translation• Process initialization and context switch • Interrupts, I/Os• etc.
6.888 L3 - Intel SGX 17
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Intel SGX
enclave
![Page 18: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/18.jpg)
Enclave High-level View• Goal: A protected environment that contains the code and data of a
security-sensitive computation.
6.888 L3 - Intel SGX 18
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave
Processor ReservedMemory (PRM)
Problem: How to handle address translation, context switch, etc.?
Isolation
![Page 19: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/19.jpg)
SGX HW TCB
6.888 L3 - Intel SGX 19
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
System Bus (logically)
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM) other I/O DevicesNon-volatilestorage device
Integrated Memory Controller
Memory Management Unit (MMU)
Low impact on chip’s HW design
![Page 20: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/20.jpg)
Intel SGX Security Mechanisms
6.888 L3 - Intel SGX 20
Guest OS
App
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave
Processor ReservedMemory (PRM)
Isolation Attestation DRAM ProtectionProcessor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM)
Integrated Memory Controller
![Page 21: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/21.jpg)
SGX Access Control• Assume software attestation is done• Can have multiple enclaves
6.888 L3 - Intel SGX 21
Guest OS
App 1
Hypervisor
SMM
Guest OS
Ring 3
Ring 0
Ring -1
Ring -2
Hardware
Enclave 1
App 2
Enclave 2
Guest OS
App 3
Enclave 3
Processor ReservedMemory (PRM)
Performance issues.
PRM size is 128MB in SGX V1.0All enclaves loaded at the same time cannot exceed said ~90MB
![Page 22: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/22.jpg)
Enclave Address Translation
6.888 L3 - Intel SGX 22
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
This is what we want.But OS is not trustable.
Page Table per process
![Page 23: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/23.jpg)
Malicious Address Translation
6.888 L3 - Intel SGX 23
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
Page Table per process
if (PA belongs to PRM) {check whether in enclave modeif (NOT enclave access) {
return a value 0xfffff} }
Easy to implement in MMU
![Page 24: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/24.jpg)
Malicious Address Translation
6.888 L3 - Intel SGX 24
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
4KB
Page Table per process
if (in enclave mode) {compare PA with RPM rangeif (NOT in RPM) {
#Signal Fault } }
Also Easy to implement in MMU
![Page 25: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/25.jpg)
Malicious Address Translation
6.888 L3 - Intel SGX 25
Virtual Address Space (Programmer's View)
Physical Address Space(limited by DRAM size)
4KB4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB 4KB
4KB (belong to a different enclave)
Page Table per process
How to block such attacks?
![Page 26: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/26.jpg)
SGX Memory Organization
• Keep page mapping metadata in PRM• MMU performs extra checks
6.888 L3 - Intel SGX 26
4KB
Processor Reserved Memory (PRM)
Physical Address Space(limited by DRAM size)
• Enclave pages (code, data)• Meta data per enclave
• enclave page mapping information, enclave thread context information, etc.
![Page 27: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/27.jpg)
Enclave Page Mapping Information
6.888 L3 - Intel SGX 27
Virtual Address Space (Programmer's View) Physical Address Space(limited by DRAM size)
4KB 4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB4KB
Page Table per process
Enclave Page Cache Mapping (EPCM)
Stored in PRM{PA, VA,Enclave ID}
if (PA belongs to PRM) {compare VA in EPCMif (NOT match) {
#Signal Fault} }
![Page 28: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/28.jpg)
Enclave Page Mapping Information
6.888 L3 - Intel SGX 28
Virtual Address Space (Programmer's View) Physical Address Space(limited by DRAM size)
4KB 4KB
VA PA
Enclave Linear Range (ELRANGE)
Processor Reserved Memory (PRM)
4KB4KB
Page Table per process
Enclave Page Cache Mapping (EPCM)
Stored in PRM{PA, VA,Enclave ID}
Problem: pages are allocated and selected by system software.
![Page 29: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/29.jpg)
So far ……
• Once the enclave is initialized correctly, it can be isolated from system software using • Hardware access control (supported by MMU)• Hardware support for secure context switch
• How to ensure the initialization is correct?• Software Attestation (similar to secure boot)
6.888 L3 - Intel SGX 29
![Page 30: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/30.jpg)
Enclave Initialization
• BIOS setup PRM region
6.888 L3 - Intel SGX 30
Physical Address Space
PRM
![Page 31: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/31.jpg)
Enclave Initialization
• Enclave creation (ECREATE)
6.888 L3 - Intel SGX 31
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
![Page 32: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/32.jpg)
Enclave Initialization
• Add page (EADD)
• Measure (EEXTEND)
6.888 L3 - Intel SGX 32
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
Plaintext Code/Data
copy
Code/DataPlaintext Code/Data
Update mapping information in EPCM
![Page 33: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/33.jpg)
Enclave Measurement• Hardware generates a cryptographic log of the build process
• Code, data, stack, and heap contents• Location of each page within the enclave• Security attributes (e.g., page permissions) and enclave capabilities
• Enclave identity (MRENCLAVE) is a 256-bit digest of the log that represents the enclave
6.888 L3 - Intel SGX 33
![Page 34: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/34.jpg)
Enclave Initialization
• Add page (EADD)
• Measure (EEXTEND)
• Init (EINIT)• Finalize measurement
• Active (EENTER)• Switch to enclave mode
6.888 L3 - Intel SGX 34
Physical Address Space
PRM
Virtual Address Space
ELRANGE
Enclave 1 metadata
Plaintext Code/Data
copy
Code/Data Plaintext Code/DataUpdate mapping information in EPCM
Problem: No measurement after EINIT
![Page 35: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/35.jpg)
Enclave Attestation and Sealing
• HW based attestation provides evidence that “this is the right application executing on an authentic platform” (approach similar to secure boot attestation)
6.888 L3 - Intel SGX 35
HW-signed blob that includes enclave identity information
trusted communication channel
EREPORT
![Page 36: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/36.jpg)
Protect Memory
6.888 L3 - Intel SGX 36
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
System Bus (logically)
Processor Chip (socket)
coreL1/L2
coreL1/L2
LLC
…
Memory (DRAM) other I/O DevicesNon-volatilestorage device
Integrated Memory Controller
![Page 37: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/37.jpg)
Confidentiality Protection with Encryption
• Secret key is stored inside chip• For freshness, encrypt with nonce (counter)• {nonce, ciphertext} per cache block are stored externally in DRAM
6.888 L3 - Intel SGX 37
![Page 38: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/38.jpg)
Integrity Protection with Hash
• For each cache line: {ciphertext + nonce + hash}• Problem:• Need to store hashes or nonces on-chip à high on-chip storage requirement• Too much storage requirement (~64bits / block) à high off-chip storage
requirement
• General solution:• Integrity Tree (Merkle tree)
6.888 L3 - Intel SGX 38
Otherwise?
![Page 39: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/39.jpg)
Operations on Merkle Tree
• Only need to store the root node on chip• How to verify block B1?• Write to block B3?
6.888 L3 - Intel SGX 39
![Page 40: Intel SGXcsg.csail.mit.edu/6.888Yan/slides/3-SGX.pdf · 2020. 9. 14. · àNeed to encrypt secret data àNeed to verify integrity (software attestation) •Mess up with •Address](https://reader036.vdocuments.site/reader036/viewer/2022062610/6107745f9e85fb693777e5f9/html5/thumbnails/40.jpg)
Next Lecture:Side Channel Introduction