Intel® SGX

Intel® SGX is a new set of instructions from Intel available on Skylake and newer generations of CPUs. Intel® SGX allows applications to run securely and privately without trusting the underlying OS and infrastructure.

Intel SGX Resources

FAQ: General questions

Intel® SGX is an extension to the x86 architecture that allows running applications in a completely isolated secure enclave.Intel SGX applications are isolated from other applications running on the same system, but also from the operating system and the hypervisor. The memory of secure enclaves is also encrypted to thwart physical attacks. These security guarantees prevent even system administrators with physical access to the SGX nodes from tampering with the application once it is started.
Intel SGX also supports data sealing which allows enclaves to persist data securely such that the data can only be read by the enclave. Through remote attestation, Intel SGX enables third parties to verify that an application is running inside an enclave with no software tampering.

Intel® SGX is based on memory isolation built into the processor itself along with strong cryptography. The processor tracks which parts of memory belong to which enclave, and ensures that only enclaves can access their own memory.

Data associated with an enclave are stored in a special area in RAM called the Processor Reserved Memory (PRM). The CPU controls access to the PRM and prevents access from unauthorized entities. The PRM holds, among other things, the Enclave Page Cache (EPC) where enclave pages are stored. These pages are only accessible by the enclave they belong to and they are kept encrypted when stored in RAM. When an enclave page is loaded to the CPU package, a Memory Encryption Engine (MEE) transparently decrypts the page.

In some cases, enclaves need to persist state to make it available across enclave invocations. To achieve this, an enclave can encrypt (seal) data using a sealing key and safely store the data on disk. When sealing data one of two available identities needs to be selected. The “enclave identity” specifies that the sealed data can only be decrypted by that very same enclave. The “signer identity” specifies that the sealed data can be decrypted by any enclave signed by the same user.

Intel SGX enclaves can be instantiated in nodes that are provisioned and managed by a third party (untrusted) vendor. A party that wishes to deploy some software inside an enclave on such an untrusted node can use remote attestation to verify that their software is indeed deployed within an enclave and the software has not been tampered with. Once an enclave attests itself to the user of the enclave, a secure channel can be established between the two, through which secret keys and sensitive information can be provisioned.

A number of side-channel attacks have been brought forward that allow local attackers to read the memory of other processes on the same system, including the memory of hypervisors, operating system kernels, system management code, and SGX enclaves. These attacks can be categorized as controlled channel attacks (e.g., SGX-Step), cache attacks (e.g., CacheQuote), branch prediction attacks (e.g., Bluethunder), speculative execution attacks (e.g., SgxPectre), and L1 terminal faults (e.g., Foreshadow). To mitigate these attacks Intel has issued microcode patches and updates to the Launcher Enclave, Provisioning Enclave, and Quoting Enclave. Furthermore, Intel SGX was designed with the ability to mitigate any attacks that might arise in the future (renewability) through its TCB Recovery process.

Fortanix has applied the microcode updates supplied by Intel® and has disabled hyperthreading on all systems. This prevents unauthorized access to the memory of SGX enclaves through side-channel attacks such as the Foreshadow vulnerability. In addition, Fortanix uses widely-known side-channel countermeasures such as “constant-time” code and blinding. For more details on side-channel vulnerabilities, please see our whitepaper.

Intel® SGX allows you to run applications on untrusted infrastructure (for example public cloud) without having to trust the infrastructure provider with access to your applications.

Intel SGX is used in applications across different domains. Fortanix's Self-Defending KMS combines a cryptography engine with key management as a scalable software solution, using SGX to provide the same security as a hardware security module. Signal, the private messenger, uses SGX for private contact discovery, enabling communication across parties without revealing these connections to the company behind Signal. Several blockchain networks including Hyperledger Avalon use SGX to perform computationally-expensive operations off-chain.

Intel SGX enabled processor family; Intel® Xeon® E3

  • HP: Z2 Mini G3, Z240 Tower Workstation
  • Supermicro: 5019-MR
  • Dell: PowerEdge R230, PowerEdge R340
  • Lenovo: x3250 M6 Rack Server, ThinkServer RS160 Rack Server
  • Intel: Server System LR1304SPCFSGX1

Major vendors such as ASUS, Dell, Lenovo, HP, SuperMicro, and Intel support SGX in the BIOS of some systems. Check with your supplier if your specific model has BIOS support for SGX, or use the sgx-detect tool to verify support for Intel SGX.

Most Desktop, Mobile (6th generation Core and up) and low-end Server processors (Xeon E3 v5 and up) released since Fall 2015 support SGX. BIOS support is also required. Major vendors such as Lenovo, HP, SuperMicro, and Intel support SGX in the BIOS of some systems. Check with your supplier if your specific model has BIOS support for SGX.

Several cloud providers support Intel SGX. The Microsoft Azure DC-series offer a range of nodes that support SGX and provide different sizes of EPC. IBM Cloud supports SGX through their Bare Metal instances and through the IBM Cloud Data Shield powered by Fortanix. Other cloud providers that support SGX include Alibaba Cloud, OVHcloud, and packet.net (Equinix Metal).

Trusted boot relies on measuring the entire software stack from bootloader to hypervisor to operating system. This theoretically allows you to know exactly which software is running on the system if you're able to compare it to an equivalent reference software stack. Importantly, it does not change the security model of the software stack. A root user still has the same privileges as before, and applications are not isolated from the underlying computing layers.

AMD SME/SEV encrypts a virtual machine's memory from the perspective of the hypervisor. It doesn't otherwise impose isolation between the VM and the hypervisor or between the applications and the OS. While the hypervisor can only see encrypted memory, it can still modify the memory, leaving open an avenue of attack. Also, a root user inside the VM still has the same privileges as before, and applications are not isolated from the underlying computing layers.

TrustZone provides an isolated secure mode for running a set of applications that are isolated from the main software stack. Unlike SGX, TrustZone only provides a single isolation boundary. All applications running in TrustZone can access one another, so a vulnerability in one TrustZone application can lead to another TrustZone being compromised as well. In SGX, every application runs in its own isolated secure enclave.

Intel® SGX is in essence just a hardware technology. As is always the case with hardware extensions, existing applications don't make use of it and often a software stack is necessary to get the most out of it. The Fortanix Runtime Encryption® platform is the premier software stack for SGX, allowing you to easily secure existing applications as well as develop new SGX-based applications.

Developer questions

To develop applications that utilize Intel SGX, Intel provides the Intel SGX SDK, which supports applications written in C or C++. Alternatively, the Enclave Development Platform, is an open-source SDK provided by Fortanix that enables the development of secure SGX applications in Rust, thereby combining the security properties of SGX and the safety features of Rust.

The Fortanix Runtime Encryption platform leverages Intel SGX to enable general-purpose computation on encrypted data. The Fortanix Runtime Encryption platform includes an EnclaveOS that transparently protects applications without requiring any modifications to the application.

The Fortanix Confidential Computing Manager automates the process of deploying, attesting, and managing the enclave application lifecycle. To generate and store sensitive key material, the Fortanix Self-Defending KMS, is a scalable key management platform built on HSM-grade security.

Why read? Request a demo