Introducing_Intel_Software_Guard _Extensions_Eclipse_Plugin.htm 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142
  1. <!--------------------------------------------------------------------------->
  2. <!-- Copyright (c) 2016 Intel Corporation. -->
  3. <!-- -->
  4. <!-- All rights reserved. This program and the accompanying materials -->
  5. <!-- are made available under the terms of the Eclipse Public License v1.0 -->
  6. <!-- which accompanies this distribution, and is available at -->
  7. <!-- http://www.eclipse.org/legal/epl-v10.html -->
  8. <!-- -->
  9. <!-- Contributors: -->
  10. <!-- Intel Corporation - initial implementation and documentation -->
  11. <!--------------------------------------------------------------------------->
  12. <?xml version="1.0" encoding="utf-8"?>
  13. <html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd" MadCap:lastBlockDepth="4" MadCap:lastHeight="1175" MadCap:lastWidth="804">
  14. <head><title>What is Intel(R) Software Guard Extensions?</title>
  15. <link href="Resources/Stylesheets/intel_css_styles.css" rel="stylesheet" type="text/css" />
  16. </head>
  17. <body>
  18. <h2>Introducing Intel(R) Software Guard Extensions</h2>
  19. <p>Intel(R) Software Guard Extensions is a new Intel technology, whose objective is to enable a high level of protection of secrets. It operates by allocating hardware-protected memory where code and data reside. The protected memory area within an application process is called an enclave. Data within the enclave memory can only be accessed by code that resides within that enclave. Enclave code can be invoked by special instructions.</p>
  20. <p>An enclave can be built and loaded as a shared object.</p>
  21. <p>Throughout this document, Intel(R) SGX refers to Intel(R) Software Guard Extensions.</p>
  22. <p>An Intel(R) SGX application design is different from the design of non- Intel(R) SGX application as it specifies dividing the application into two logical parts:</p>
  23. <ul>
  24. <li><i>Trusted</i> part. The code that accesses the secret resides here and it is called an enclave. More than one enclave can exist in an application.</li>
  25. <li><i>Untrusted</i> part. This includes the rest of the modules in the application, that is outside in an enclave.</li>
  26. </ul>
  27. <p>The trusted components and untrusted components are developed as separate modules.</p>
  28. <p>The trusted part or the enclave is implemented in C or C++. It is supplied as a collection of functions and data packaged in the form of a dynamically loaded library, a DLL in Windows* OS and a shared object in Linux* OS. It may be supplied either as a pre-built signed library or as a signed shared library built during compilation of the untrusted component.</p>
  29. <p>Enclave functions within an enclave library are wrapped by auto-generated proxy and bridge functions that simplify the mechanism of using the Intel(R) SGX technology by developers.</p>
  30. <p>The role of these functions is to handle the following tasks:</p>
  31. <ul>
  32. <li>Call an enclave function from untrusted code, also called an ECALL (enclave call).</li>
  33. <li>Call an untrusted function from within an enclave, also called an OCALL (outside call).</li>
  34. <li>Handle interrupts.</li>
  35. <li>Handle exceptions.</li>
  36. </ul>
  37. <p>The proxy and bridge functions are generated by the <code>sgx_edger8r</code> tool provided by Intel(R) SGX SDK. It reads an <i>edl</i> file (Enclave Descriptor Language) which describes the functions that form the <i>trusted</i> and <i>untrusted</i> component boundaries within the application.</p>
  38. <p>After the enclave is built, a signed version of it is created using the tool <code>sgx_sign</code> also provided by Intel(R) SGX SDK. It is this signed version may be loaded and executed in the encrypted memory.</p>
  39. <p>Enclaves may have some specific properties which are added as meta-information during the signing process. The meta-information is stored in one configuration xml file per enclave, whose details may be seen in <i>Intel(R) Software Guard Extensions Evaluation SDK for Linux* OS</i>.</p>
  40. </body>
  41. </html>