Intel® SGX is a new set of instructions from Intel available on Skylake and newer generations of CPUs. Intel® SGX allows applications to run securely and privately without trusting the underlying OS and infrastructure.
What is Intel® SGX?
Intel® SGX is an extension to the x86 architecture that allows running applications in a completely isolated secure enclave.
The application is not only isolated from other applications running on the same system, but also from the Operating System and possible Hypervisor.
This prevents administrators from tampering with the application once it is started.
The memory of secure enclaves is also encrypted to thwart physical attacks.
The technology also supports storing persistent data securely such that it can only be read by the secure enclave.
In addition, you can prove to third parties that your application is running in a secure enclave using remote attestation.
How does it work?
Intel® SGX is based on memory isolation built into the processor itself along with strong cryptography. The processor tracks which parts of memory belong to which enclave, and ensures that only enclaves can access their own memory.
What is Foreshadow?
Foreshadow (INTEL-SA-00161) is a security vulnerability in Intel® processors initially disclosed in August 2018. On systems that have not been patched, this side-channel vulnerability allows local attackers to read memory of other processes on the same system, including memory of hypervisors, operating system kernels, system management code and SGX enclaves.
How does Fortanix mitigate Foreshadow?
Fortanix has applied the microcode updates supplied by Intel® and has disabled hyperthreading on all systems. This prevents unauthorized access to the memory of SGX enclaves using the Foreshadow vulnerability. For more details on side-channel vulnerabilities, please see our whitepaper.
What Intel processor family utilized Intel® SGX technology?
Intel SGX enabled processor family; Intel® Xeon® E3
What Servers are available with Intel® SGX enabled?
What are some of the use cases for Intel® SGX?
Intel® SGX allows you to run applications on untrusted infrastructure (for example public cloud) without having to trust the infrastructure provider with access to your applications.
What are some applications that are using Intel® SGX?
Fortanix's Fortanix Self-Defending KMS combines a cryptography engine with key management as a scalable software solution, using SGX to provide the same securtiy as a hardware security module.
Signal, the private messenger, uses SGX for private contact discovery, allowing you to talk to who you know without revealing these connections to the company behind Signal.
What devices support Intel® SGX?
Most Desktop, Mobile (6th generation Core and up) and low-end Server processors (Xeon E3 v5 and up) released since Fall 2015 support SGX.
BIOS support is also required.
Major vendors such as Lenovo, HP, SuperMicro, and Intel support SGX in the BIOS of some systems.
Check with your supplier if your specific model has BIOS support for SGX.
What server manufacturers support Intel® SGX?
Major vendors such as Lenovo, HP, SuperMicro, and Intel support SGX in the BIOS of some systems. Check with your supplier if your specific model has BIOS support for SGX.
What cloud providers support Intel® SGX?
Only IBM Cloud currently supports Intel® SGX. Visit IBM Cloud Data Shield for more information.
How does SGX compare with TPM-based hardware security technologies such as Intel® TXT and AMD SVM?
Trusted boot relies on measuring the entire software stack from bootloader to hypervisor to operating system.
This theoretically allows you to know exactly which software is running on the system, if you're able to compare it to an equivalent reference software stack.
Importantly, it does not change the security model of the software stack.
A root user still has the same privileges as before, and applications are not isolated from the underlying computing layers.
How does SGX compare with other memory-encryption security technologies such as AMD SME/SEV?
AMD SME/SEV encrypts a virtual machine's memory from the perspective of the hypervisor.
It doesn't otherwise impose isolation between the VM and the hypervisor or between the applications and the OS.
While the hypervisor can only see encrypted memory, it can still modify the memory, leaving open an avenue of attack.
Also, a root user inside the VM still has the same privileges as before, and applications are not isolated from the underlying computing layers.
How does SGX compare with other isolation security technologies such as ARM TrustZone?
TrustZone provides an isolated secure mode for running a set of applications that are isolated from the main software stack.
Unlike SGX, TrustZone only provides a single isolation boundary.
All applications running in TrustZone can access one another, so a vulnerability in one TrustZone application can lead to another TrustZone being compromised as well. In SGX, every application runs in its own isolated secure enclave.
What does Fortanix Runtime Encryption® deliver for Intel® SGX? What is unique about it?
Intel® SGX is in essence just a hardware technology.
As is always the case with hardware extensions, existing applications don't make use of it and often a software stack is necessary to get the most out of it. The Fortanix Runtime Encryption® platform is the premier software stack for SGX, allowing you to easily secure existing applications as well as develop new SGX-based applications.