Intel SGX Resources
Solution BriefIntel and Fortanix Confidential Computing Manager - Joint Solution Brief
White paperRead Fortanix and Intel joint white paper
White paperFortanix Runtime Encryption® Platform
VideoFortanix® and Intel® SGX
CommunityAsk Intel SGX and Runtime Encryption® experts
White paperSide Channels and Runtime Encryption® Solutions with Intel® SGX
Research paperChallenges For Scaling Applications Across Enclaves
White paperIntel SGX Explained - Cryptology ePrint Archive by Srini Devadas
FAQ: General questions
Intel® SGX is an extension to the x86 architecture that allows running applications in completely isolated secure enclaves. Intel® SGX applications are isolated from other applications running on the same system, but also from the operating system, the hypervisor, the system management module as well as the BIOS, and the firmware. The memory of secure enclaves is also encrypted to thwart physical attacks. These security guarantees prevent even system administrators with physical access to the SGX nodes from tampering with the application once it is started. Intel® SGX supports data sealing which allows enclaves to persist data securely such that the data can only be read by the enclave. Through remote attestation, Intel® SGX enables third parties to verify that an application is indeed running inside an enclave and the application has not been tampered with.
Intel® SGX is based on hardware-enforced memory isolation built into the processor itself along with strong cryptography. The processor tracks which parts of memory belong to which enclave, and ensures that only enclaves can access their own memory.
Data associated with an enclave is stored in a special area in RAM called the Processor Reserved Memory (PRM). The CPU controls access to the PRM and prevents access from unauthorized entities. The PRM holds, among other things, the Enclave Page Cache (EPC) where enclave pages are stored. These pages are only accessible by the enclave they belong to and they are kept encrypted when stored in RAM. When an enclave page is loaded to the CPU package, the Memory Encryption Engine (MEE) transparently decrypts the page.
In some cases, enclaves need to persist their state to untrusted storage devices to make it available across enclave invocations. To achieve this, an enclave can encrypt (seal) data using a sealing key and safely store the data on disk. When sealing data, one of two available identities needs to be selected. The “enclave identity” specifies that the sealed data can only be decrypted by that very same enclave. The “signer identity” specifies that the sealed data can be decrypted by any enclave signed by the same user.
Intel® SGX enclaves can be instantiated in nodes that are provisioned and managed by a third-party (untrusted) vendor. A party that wishes to deploy some software inside an enclave on such an untrusted node can use remote attestation to verify that their software is indeed deployed within an enclave and the software has not been tampered with. Once an enclave attests itself to the user of the enclave, a secure channel can be established between the two, through which secret keys and sensitive information can be provisioned.
A number of side-channel attacks have been brought forward that allow local attackers to read the memory of other processes on the same system, including the memory of hypervisors, operating system kernels, system management code, and SGX enclaves. These attacks can be classified into multiple categories. The controlled channel attacks category captures attacks that utilize the untrusted OS’s control over system events such as context switches, memory accesses, TLB flushes, interrupts, and page faults to extract side-channel information. Examples of such attacks include SGX-Step, Nemesis, and Off-Limits. The cache-attacks category refers to attacks that exploit the caching of memory loads from the main memory that leave effects in the system state which are measurable from outside an enclave application. Example attacks in this category include CacheQuote, Malware Guard Extensions, Software Grand Exposure, and MemJam. Branch prediction attacks exploit the fine-grain control flow of running SGX applications by shadowing the branch prediction unit. Example attacks that fall in this category include BranchScope, Bluethunder, and Branch Shadowing. Speculative execution attacks work by mispredicting branches and executing code, that would otherwise not have been executed, in a speculative manner. Example attacks include Spectre, SgxPectre, and SpectreRSB. The transient data cache load category refers to attacks such as Meltdown and Foreshadow that abuse memory accesses that are transiently available due to out-of-order execution of instructions, even if these instructions are later rolled back. Microarchitectural data sampling attacks include CacheOut, CrossTalk, ZombieLoad, and SGAxe and work by exposing information from intermediary buffers of the targeted microarchitecture. Fault injection attacks oftentimes work by dynamically altering the CPU frequency or voltage with the goal of corrupting the computation of enclave applications. Attacks that fall in this category include Plundervolt.
Intel® SGX was designed with the ability to mitigate any attacks that might arise in the future (renewability) through its TCB Recovery process. In general, attack mitigations and security fixes come in four different forms:
- System platform – Microcode updates and BIOS configurations
- SGX platform – Architectural enclaves updates such as to the Launcher Enclave, Provisioning Enclave, and Quoting Enclave
- Software toolchain – Compiler, SDK and related dependencies updates
- Application – Up to the application developer to employ safe programming techniques for enclave code
Fortanix has applied the microcode updates supplied by Intel® and has disabled hyperthreading on all systems. This prevents unauthorized access to the memory of SGX enclaves through side-channel attacks such as the Foreshadow vulnerability. In addition, Fortanix uses widely-known side-channel countermeasures such as “constant-time” code and blinding. For more details on side-channel vulnerabilities, please see our whitepaper.
Intel® SGX allows you to run applications in a confidential and integrity preserving manner on untrusted infrastructure (for example public clouds) without having to trust the infrastructure provider with access to your applications. Example use cases include building ML models and performing data classification, hosting database services, performing data analytics, deploying middleware services such as load balancing, setting up key management services, and many more. See our public container registry for example applications and our support pages on how to deploy these applications .
Intel® SGX is used in applications across different domains. Fortanix's Data Security Manager combines a cryptography engine with key management as a scalable software solution, using SGX to provide the same security as a hardware security module. Signal, the private messenger, uses SGX for private contact discovery, enabling communication across parties without revealing these connections to the company behind Signal. Several blockchain networks including Hyperledger Avalon use SGX to perform computationally expensive operations off-chain.
Intel® SGX enabled processor family; Intel® Xeon® E3
- HP: Z2 Mini G3, Z240 Tower Workstation
- Supermicro: 5019-MR
- Dell: PowerEdge R230, PowerEdge R340
- Lenovo: x3250 M6 Rack Server, ThinkServer RS160 Rack Server
- Intel: Server System LR1304SPCFSGX1
Major vendors such as ASUS, Dell, Lenovo, HP, SuperMicro, and Intel® support SGX in the BIOS of some systems. Check with your supplier if your specific model has BIOS support for SGX, or use the sgx-detect tool to verify support for Intel® SGX.
Most Desktop, Mobile (6th generation Core and up), and low-end Server processors (Xeon E3 v5 and up) released since Fall 2015 support SGX. BIOS support is also required. Major vendors such as Lenovo, HP, SuperMicro, and Intel® support SGX in the BIOS of some systems. Check with your supplier if your specific model has BIOS support for SGX.
Several cloud providers support Intel® SGX. The Microsoft Azure DC-series offer a range of nodes that support SGX and provide different sizes of EPC. IBM Cloud supports SGX through their Bare Metal instances and through the IBM Cloud Data Shield powered by Fortanix. Other cloud providers that support SGX include Alibaba Cloud, OVHcloud, and packet.net (Equinix Metal).
Trusted boot relies on measuring the entire software stack from bootloader to hypervisor to operating system. This theoretically allows you to know exactly which software is running on the system if you're able to compare it to an equivalent reference software stack. Importantly, it does not change the security model of the software stack. A root user still has the same privileges as before, and applications are not isolated from the underlying computing layers.
AMD SME/SEV encrypts a virtual machine's memory from the perspective of the hypervisor. It doesn't otherwise impose isolation between the VM and the hypervisor or between the applications and the OS. While the hypervisor can only see encrypted memory, it can still modify the memory, leaving open an avenue of attack. Also, a root user inside the VM still has the same privileges as before, and applications are not isolated from the underlying computing layers.
TrustZone provides an isolated secure mode for running a set of applications that are isolated from the main software stack. Unlike SGX, TrustZone only provides a single isolation boundary. All applications running in TrustZone can access one another, so a vulnerability in one TrustZone application can lead to another TrustZone being compromised as well. In SGX, every application runs in its own isolated secure enclave.
Intel® SGX is in essence just a hardware technology. As is always the case with hardware extensions, existing applications don't make use of it and often a software stack is necessary to get the most out of it. The Fortanix Runtime Encryption® platform is the premier software stack for SGX, allowing you to easily secure existing applications as well as develop new SGX-based applications.
To develop applications that utilize Intel® SGX, Intel® provides the Intel® SGX SDK, which supports applications written in C or C++. Alternatively, the Enclave Development Platform, is an open-source SDK provided by Fortanix that enables the development of secure SGX applications in Rust. Developing enclave applications using EDP offers a number of benefits:
- Safety: EDP combines the security properties of SGX and the safety features of Rust, in contrast to other SDKs that support unsafe languages, such as C or C++. Developing enclave code using unsafe languages can lead to exposing all secrets with a single memory safety vulnerability.
- Rust compatibility: EDP applications are like Rust native applications and most Rust crates support SGX by default.
- Ease of use: EDP applications support multiple threads, network connections, and do not require explicitly defining enclave entry points or specifying the “untrusted” code of your application, since this is all provided for you.
- Abstraction: Because EDP programs look just like regular Rust programs, supporting enclave platforms other than Intel® SGX (such as AWS Nitro Enclaves) will work in the same way.
The Fortanix Runtime Encryption platform leverages Intel® SGX to enable general-purpose computation on encrypted data. The Fortanix Runtime Encryption platform includes an EnclaveOS that transparently protects applications without requiring any modifications to the application.
The Fortanix Confidential Computing Manager (CCM) automates the process of attesting, deploying, and managing enclave applications throughout their lifecycle. Upon successfully attesting an application, CCM issues a TLS certificate to the application that can be used to establish a secure communication channel with other parties. CCM provides ways of synthesizing applications into workflows and enforces policies controlling how the applications are deployed.
The Fortanix Data Security Manager (DSM) is a data-first multicloud HSM-grade security approach to keep your data secure. DSM offers transparent security of database systems, managing keys via a multitenant Key Management System, data tokenization with FIPS 140-2 level-3 HSM support and many more.