# Software Guard Extensions (SGX) Links: [[TEE]] ## See also ### - [[Intel SGX Explained]] ## Resources ### (Intel Webpage) [Get Started with Inter Software Guard Extensions](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/get-started.html) ### (224 page SDM) [Intel® 64 and IA-32 Architectures Software Developer’s Manual](https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-vol-3d-part-4-manual.pdf) ### (Web directory) [download.01.org/intel-sgx](https://download.01.org/intel-sgx/) ## Repos - [`intel/linux-sgx`](https://github.com/intel/linux-sgx): Intel SGX for Linux - ## Install ### Install SGX driver from package On [Intel's website](https://01.org/intel-software-guard-extensions/downloads), find the latest “Intel SGX Linux Release” (_not_ “Intel SGX DCAP Linux Release”) and download the “Intel (R) SGX Installers” for your platform. The package will have `driver` in the name. Source: [Fortanix installation guide](https://edp.fortanix.com/docs/installation/guide/) ### Install AESM service from package On [Intel's website](https://01.org/intel-software-guard-extensions/downloads), find the latest “Intel SGX Linux Release” (_not_ “Intel SGX DCAP Linux Release”) and download the “Intel (R) SGX Installers” for your platform. The package will have `psw` in the name. Source: [Fortanix installation guide](https://edp.fortanix.com/docs/installation/guide/) ## Resources - [Intel's SGX In-depth Architecture](https://scl.engr.uconn.edu/courses/ece6095/lectures/sgx_architecture.pdf) - 99-slide technical presentation by Syed Kamran Haider about SGX ## SGX 101 *The very first place to study Intel SGX.* https://sgx101.gitbook.io/sgx101/ ### Attestation https://sgx101.gitbook.io/sgx101/sgx-bootstrap/attestation Sometimes enclaves need to collaborate with other enclaves on the same platform due to different reasons such as data exchange if the enclave is too small to hold all the information, or communication with Intel reserved enclaves to conduct specific Intel services. Therefore, the two exchanging enclaves have to prove to each other that they can be trusted. In other scenarios when an SGX enabled ISV client requests secrets from its ISV client, password management service for example, the client have to prove to the server that the client application is running on a trusted platform that can process the secrets securely. Both of those two conditions require a proof of secured execution environment, and Intel SGX refers to this proving process as attestation. There are two types of attestation with respect to the two above mentioned scenarios: **Local Attestation** and **Remote Attestation**. The successful result of local attestation provides an authenticated assertion between two enclaves running on the same platform that they can trust each other and exchange information safely, while remote attestation provides this kind of verification for the ISV client to the server so that ISV server can confidently provides the client with the secrets it requested. ## [Introduction to SGX (Software Guard Extensions) and SGX Virtualization - Jun Nakajima, Intel](https://www.youtube.com/watch?v=oES6hRhLJRM) Uploaded [[2017-09-19]] ### Enclave SGX is a TEE (Trusted Execution Environment) EPC is Enclave Page Cache - Not large, usually ~64 MB - Servers may have more EPC More security, lots of instructions are disabled within the enclave ![[Screen Shot 2022-02-11 at 11.21.54 PM.png]] - System calls are not available ### SGX Application Flow SGX driver is required - Maps virtual addresses to the enclave's EPC ![[Screen Shot 2022-02-11 at 11.25.33 PM.png]] There are some research projects to run an entire container within an enclave, so that it's not necessary to modify an application (on a software level) to be runnable within an enclave