This topic describes what Intel Software Guard Extension (Intel SGX) is and how to install it.

What is SGX?

SGX is an Intel architecture extension designed to increase the security of application code and data. You can partition your application into processor-hardened enclaves or protected areas of execution in memory that increase security even on compromised platforms.

SGX sets aside one or more ranges of physical memory as the Enclave Page Cache (EPC) and encrypts the data stored in the EPC using the Memory Encryption Engine (MEE). The data stored in the EPC is only decrypted inside the CPU. SGX offers CPU-based security controls. Data remains protected even when the OS, VMM, or BIOS are compromised.

Application

You can encrypt sensitive data, pass the encrypted data to the enclave in the cloud, and provide the corresponding key to the enclave through remote attestation. Then, you can compute over the fully encrypted data protected by the CPU, and the result is returned to you in an encrypted version. In this way, you can make use of the powerful cloud computing infrastructures with reduced risk of data disclosure.

Enclave Definition Language (EDL)

EDL is the fundamental part of SGX. It defines all enclave interface functions. During the build process, the Edger8r tool generates trusted and untrusted proxy/bridge functions and performs security checks.

Enclave interface functions can be divided into Enclave Calls (ECALLs) and Outside Calls (OCALLs).

  • ECALL: A call from the application into an interface function within the enclave, which is defined as a trusted environment.
  • OCALL: A call made from within the enclave to the application, which is defined as an untrusted environment.
// demo.edl
enclave {
        // Add your definition of "secret_t" here
        trusted {
                 public void get_secret([out] secret_t* secret);
        };
        untrusted {
        // This OCALL is for illustration purposes only.
        // It should not be used in a real enclave,
        // unless it is during the development phase
        // for debugging purposes.
        void dump_secret([in] const secret_t* secret);
        };
};

Install SGX using the installer file

You can install SGX using the installer file, which includes the SGX driver, SGX Platform Software (PSW), and SDK. You must also install corresponding Linux kernel header files. The procedure is as follows:
Note The default directory for the Makefile in the example is /opt/intel/.
  1. Download the SGX installer file.
  2. Follow the steps in the Installation guide.

Install SGX using the source code

You can install SGX using the source code, which includes the SGX driver, SGX Platform Software (PSW), and SDK. You must also install corresponding Linux kernel header files. The procedure is as follows:
Note The default directory for the Makefile in the example is /opt/intel/.
  1. Download the source code from Github.
  2. Compile the source code according to the README.md file.