This topic describes how Intel Software Guard Extension (SGX) works and how to install it.

Background information

Intel SGX is an architecture extension developed by Intel. SGX protects selected code and data from malicious disclosure or modification by using enclaves, which are encrypted areas of execution in memory.

SGX sets aside one or more ranges of physical memory as the Enclave Page Cache (EPC) and encrypts the data stored in the EPC by using the Memory Encryption Engine (MEE). The data stored in the EPC is only decrypted inside the CPU. SGX offers CPU-based security controls. Data remains protected even when the operating system, Virtual Machine Manager (VMM), or Basic Input/Output System (BIOS) is compromised.

You can encrypt sensitive data, pass the encrypted data to the enclave in the cloud, and provision the corresponding key to the enclave through remote attestation. Then you can compute over the fully encrypted data protected by the CPU, and the result is returned to you in an encrypted version. In this case, you can make use of the powerful cloud computing with low risks of data disclosure.

Enclave Definition Language (EDL) is the fundamental part of SGX. It defines all enclave interface functions. During the build process, the Edger8r tool generates trusted and untrusted proxy/bridge functions and performs security checks.

Enclave interface functions can be divided into Enclave Calls (ECALLs) and Outside Calls (OCALLs).
  • ECALL: A call from the application into an interface function within the enclave, which is defined as a trusted environment.
  • OCALL: A call made from within the enclave to the application, which is defined as an untrusted environment.
// demo.edl
enclave {
        // Add your definition of "secret_t" here
        trusted {
                 public void get_secret([out] secret_t* secret);
        };
        untrusted {
        // This OCALL is for illustration purposes only.
        // It should not be used in a real enclave,
        // unless it is during the development phase
        // for debugging purposes.
        void dump_secret([in] const secret_t* secret);
        };
};

Install SGX by using the installer file

Before you use the source code to install SGX, you must first install corresponding Linux kernel head files. The installer file includes the SGX driver, SGX Platform Software (PSW), and Software Development Kit (SDK).
Note The default installation directory for Makefile is /opt/intel/.
  1. Download the suitable SGX installer file. Click SGX to download the installer file.
  2. Install SGX. For more information about how to install SGX, visit the Installation Guide.

Install SGX by using the source code

Before you use the source code to install SGX, you must first install corresponding Linux kernel head files. The installer file includes the SGX driver, PSW, and SDK.
Note The default installation directory for Makefile is /opt/intel/.
  1. Download the source code from GitHub.
  2. Compile the source code by following the steps described in the README.md file.