Inferensys

Glossary

Intel SGX

Intel Software Guard Extensions (SGX) is a set of security instruction codes built into Intel processors that allows user-level code to allocate private regions of memory, called enclaves, protected from processes running at higher privilege levels.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
HARDWARE-GRADE ISOLATION

What is Intel SGX?

Intel Software Guard Extensions (SGX) is a set of security instruction codes built into Intel processors that allows user-level code to allocate private regions of memory, called enclaves, protected from processes running at higher privilege levels.

Intel SGX is a hardware-based Trusted Execution Environment (TEE) that creates isolated memory regions known as enclaves. These enclaves protect selected code and data from disclosure or modification by the operating system, hypervisor, or BIOS, ensuring data remains confidential and unaltered even if the entire system software stack is compromised.

The security model reduces the Trusted Computing Base (TCB) to the processor itself, excluding the OS and VMM. Remote parties verify an enclave's identity through a cryptographic process called attestation, which generates a hardware-signed measurement of the enclave's initial state, enabling secure provisioning of secrets for confidential computing workloads.

HARDWARE-GRADE ISOLATION

Key Features of Intel SGX

Intel Software Guard Extensions (SGX) provides application-level isolation through hardware-enforced memory encryption, creating private regions called enclaves that protect sensitive code and data from the operating system, hypervisor, and other privileged software.

01

Hardware-Enforced Memory Encryption

SGX creates enclaves—isolated memory regions encrypted at the hardware level. The Memory Encryption Engine (MEE) automatically encrypts and decrypts data as it moves between the processor cache and system RAM, ensuring plaintext data never leaves the CPU package.

  • Protects against cold boot attacks and physical memory snooping
  • Encryption is transparent to application code running inside the enclave
  • Each enclave gets its own encryption key, derived from a fuse key burned into the CPU at manufacturing
128 MB
Max Enclave Page Cache (EPC)
03

Data Sealing

Enclaves are stateless—when the enclave is destroyed, its memory is wiped. Data sealing allows an enclave to securely persist secrets to untrusted storage by encrypting them with a key derived from the enclave's identity.

  • Seal to MRENCLAVE: Data can only be unsealed by the exact same enclave code version
  • Seal to MRSIGNER: Data can be unsealed by any enclave signed by the same authority, enabling seamless upgrades
  • The sealing key is derived from the CPU's fuse key, making it inaccessible to software outside the enclave
04

Controlled Entry and Exit Points

SGX enforces a strict interface between trusted and untrusted code through ECALLs and OCALLs. These are the only ways to cross the enclave boundary, preventing arbitrary memory access from the host application.

  • ECALL: Untrusted code calls a trusted function inside the enclave via a defined entry point
  • OCALL: The enclave temporarily exits to call an untrusted host function (e.g., for system I/O)
  • The processor performs context switching and register sanitization on every boundary crossing to prevent data leaks
05

Side-Channel Attack Resistance

While SGX's threat model excludes physical side-channel attacks, Intel has introduced hardware and microcode mitigations against several classes of speculative execution and cache-timing attacks.

  • L1D and L1TF mitigations: Flush L1 data cache on enclave exit to prevent data leakage
  • Microarchitectural Data Sampling (MDS) fixes: Overwrite store buffers and fill buffers during transitions
  • Asynchronous Enclave Exit (AEX): Saves and clears CPU state when interrupts occur, preventing register-based leaks
  • Intel recommends application-level constant-time programming for defense-in-depth against timing side channels
06

Confidential AI and Private Inference

SGX enables Confidential AI by protecting both the model weights and the inference inputs during active computation. The model is decrypted only inside the attested enclave, and the client's query data remains invisible to the cloud provider.

  • Model Protection: Proprietary model weights are encrypted at rest and only decrypted within the enclave
  • Input Privacy: Client data is encrypted end-to-end from the client to the enclave, bypassing the host OS
  • Frameworks like Open Enclave and Gramine simplify porting existing ML runtimes into SGX enclaves without major code rewrites
INTEL SGX EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about Intel Software Guard Extensions, covering its architecture, security model, and operational constraints.

Intel Software Guard Extensions (SGX) is a set of security instruction codes built into Intel processors that allows user-level applications to create hardware-enforced private memory regions called enclaves. An enclave protects a specific application's code and data from disclosure or modification by anything outside the enclave, including the operating system, hypervisor, BIOS, and other system software.

SGX works by encrypting a portion of physical RAM to create an Enclave Page Cache (EPC). When the processor accesses enclave memory, dedicated hardware engines transparently encrypt and decrypt data as it moves between the CPU cache and the EPC. This ensures that even an attacker with physical access to the memory bus or full control of the OS cannot read the enclave's plaintext secrets. The enclave's integrity is also protected; any unauthorized modification to the EPC content is detected by the hardware, causing the processor to halt access. The only way to interact with an enclave is through strictly defined entry points called ECALLs and OCALLs, creating a minimal, auditable attack surface.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.