Intel SGX

An SGX enclave is a hardware-isolated region of memory created by an application. The CPU enforces strict access control, preventing any software outside the enclave—including the operating system, hypervisor, and system management mode (SMM)—from reading or writing its private memory pages. This isolation is maintained via Memory Encryption Engine (MEE) and CPU-access control checks, establishing a secure perimeter for sensitive code and data.

Remote Attestation is a cryptographic protocol that allows a remote party (a verifier) to cryptographically verify the identity and integrity of an enclave running on a genuine Intel SGX platform. This process proves:

• The software is running inside a genuine Intel SGX enclave.
• The enclave's initial code and data (MRENCLAVE measurement) are exactly as expected and have not been tampered with.
• The platform holds valid attestation keys provisioned by Intel. This enables trusted services to provision secrets (like API keys) directly to a verified enclave.

Sealing is the process by which an enclave encrypts its persistent data for storage outside the enclave (e.g., on disk). The encryption key is derived from either:

• The enclave's identity (MRENCLAVE), making data accessible only to the exact same enclave code version.
• The author's identity (MRSIGNER), allowing data to be accessed by future versions of the enclave from the same developer. This feature allows enclaves to maintain state across restarts and power cycles without exposing sensitive data to the host filesystem.

A core design goal of SGX is to drastically reduce the Trusted Computing Base. The TCB for an SGX-protected application is limited to:

• The application's code inside the enclave.
• The CPU's SGX implementation (microcode and hardware). Crucially, it excludes the entire operating system, hypervisor, BIOS, and system firmware. This architecture mitigates risk by removing millions of lines of complex system software from the trust boundary.

SGX ensures confidentiality and integrity for code and data during execution, even if the host OS is compromised. The CPU decrypts enclave memory pages only within the on-die cache for processing. Main memory (RAM) holds only encrypted contents. This memory encryption protects against physical attacks like cold boot attacks and software attacks from privileged malware. Execution flow and data within the enclave are shielded from observation and tampering.

Communication between an enclave and the untrusted application hosting it occurs through strictly controlled entry points:

• ECALL (Enclave Call): The untrusted application invokes a predefined function inside the enclave.
• OCALL (Out Call): The enclave calls out to an untrusted function in the hosting application, typically to access OS services (e.g., network, filesystem). The CPU manages the transition between trusted and untrusted execution contexts, sanitizing registers to prevent data leakage. This controlled interface is critical for maintaining the enclave's security boundary.

A Side-Channel Attack is a security exploit that infers secret information from a system by analyzing indirect, physical effects of its operation, rather than exploiting software bugs directly. TEEs like SGX must be designed to resist these attacks.

• Exploitable Channels: Attackers measure timing, power consumption, electromagnetic emissions, or cache access patterns to deduce secrets (e.g., cryptographic keys) from within a protected enclave.
• SGX History: SGX has faced several published side-channel attacks (e.g., CacheZoom, Plundervolt) that highlight the difficulty of creating a perfectly isolated execution environment.
• Mitigation: Requires constant hardware and software co-design, including constant-time algorithms, cache flushing, and microcode updates to address new vulnerabilities.