This topic describes how Intel Software Guard Extension (SGX) works and how to install it.

Prerequisites

The instance is of the ebmhfg5 instance family.

Background information

Intel SGX is an architecture extension developed by Intel. SGX protects selected code and data from malicious disclosure or modification by using enclaves, which are encrypted areas of execution in memory.

SGX sets aside one or more ranges of physical memory as Enclave Page Caches (EPCs) and uses the Memory Encryption Engine (MEE) to encrypt data stored within the EPCs. Data stored within EPCs is decrypted only inside the CPU. SGX offers CPU-based security controls. Data remains protected even if the operating system, Virtual Machine Manager (VMM), or Basic Input/Output System (BIOS) becomes compromised.

You can encrypt sensitive data, pass the encrypted data to an enclave in the cloud, and provide the corresponding key to the enclave by using remote attestation. You can then compute over the encrypted data protected by the CPU and have an encrypted result returned. With this feature, you can make use of the powerful cloud computing capabilities with low risks of data disclosure.

Enclave Definition Language (EDL) is the fundamental part of SGX. It defines all enclave interface functions. During the compilation process, the Edger8r tool generates trusted and untrusted proxy/bridge functions based on the functions defined in EDL and performs security checks.

Enclave interface functions can be divided into Enclave Calls (ECALLs) and Outside Calls (OCALLs).
  • ECALL: A call made from the application into an interface function within the enclave, which is defined as a trusted environment.
  • OCALL: A call made from within the enclave to the application, which is defined as an untrusted environment.
// demo.edl
enclave {
        // Add your definition of "secret_t" here
        trusted {
                 public void get_secret([out] secret_t* secret);
        };
        untrusted {
        // This OCALL is for illustration purposes only.
        // It should not be used in a real enclave,
        // unless it is during the development phase
        // for debugging purposes.
        void dump_secret([in] const secret_t* secret);
        };
};

Install SGX by using the installer file

Before you use the installer file to install SGX, you must first install corresponding Linux kernel header files. The installer file includes the SGX driver, Platform Software (PSW), and Software Development Kit (SDK).
Note The default installation directory of Makefile is /opt/intel/ in this example.
  1. Download the applicable SGX installer file. Click here to download the installer file.
  2. Install SGX. For more information about how to install SGX, visit Installation Guide.

Install SGX by using the source code

Before you use the source code to install SGX, you must first install corresponding Linux kernel header files. The installer file includes the SGX driver, PSW, and SDK.
Note The default installation directory of Makefile is /opt/intel/ in this example.
  1. Download the source code from GitHub.
  2. Compile the source code by performing the operations described in the README.md file.