What is Intel(R) Software Guard Extensions?

Introducing Intel(R) Software Guard Extensions

Intel(R) Software Guard Extensions is a new Intel technology, whose objective is to enable a high level of protection of secrets. It operates by allocating hardware-protected memory where code and data reside. The protected memory area within an application process is called an enclave. Data within the enclave memory can only be accessed by code that resides within that enclave. Enclave code can be invoked by special instructions.

An enclave can be built and loaded as a shared object.

Throughout this document, Intel(R) SGX refers to Intel(R) Software Guard Extensions.

An Intel(R) SGX application design is different from the design of non- Intel(R) SGX application as it specifies dividing the application into two logical parts:

Trusted part. The code that accesses the secret resides here and it is called an enclave. More than one enclave can exist in an application.
Untrusted part. This includes the rest of the modules in the application, that is outside in an enclave.

The trusted components and untrusted components are developed as separate modules.

The trusted part or the enclave is implemented in C or C++. It is supplied as a collection of functions and data packaged in the form of a dynamically loaded library, a DLL in Windows* OS and a shared object in Linux* OS. It may be supplied either as a pre-built signed library or as a signed shared library built during compilation of the untrusted component.

Enclave functions within an enclave library are wrapped by auto-generated proxy and bridge functions that simplify the mechanism of using the Intel(R) SGX technology by developers.

The role of these functions is to handle the following tasks:

Call an enclave function from untrusted code, also called an ECALL (enclave call).
Call an untrusted function from within an enclave, also called an OCALL (outside call).
Handle interrupts.
Handle exceptions.

The proxy and bridge functions are generated by the sgx_edger8r tool provided by Intel(R) SGX SDK. It reads an edl file (Enclave Descriptor Language) which describes the functions that form the trusted and untrusted component boundaries within the application.

After the enclave is built, a signed version of it is created using the tool sgx_sign also provided by Intel(R) SGX SDK. It is this signed version may be loaded and executed in the encrypted memory.

Enclaves may have some specific properties which are added as meta-information during the signing process. The meta-information is stored in one configuration xml file per enclave, whose details may be seen in Intel(R) Software Guard Extensions Evaluation SDK for Linux* OS.