Intel Software Guard Extension (SGX) is an architecture extension developed by Intel. SGX protects selected code and data from malicious disclosure or modification through the use of enclaves, which are protected areas of execution in the central processing unit (CPU).
SGX sets aside one or more ranges of physical memory as the Enclave Page Cache (EPC) and encrypts the data stored in the EPC using the Memory Encryption Engine (MEE). The data stored in the EPC is only decrypted inside the CPU. SGX offers CPU-based security controls. Data remains protected even when the OS, VMM, or BIOS are compromised.
You can encrypt sensitive data, pass the encrypted data to the enclave in the cloud, and provide the corresponding key to the enclave through remote attestation. Then you can compute over the fully encrypted data protected by the CPU, and the result is returned to you in an encrypted version. In this case, you can make use of the powerful cloud computing with low risk of data disclosure.
Enclave Definition Language (EDL) is the fundamental part of SGX. It defines all enclave interface functions. During the build process, the Edger8r tool generates trusted and untrusted proxy/bridge functions and performs security checks.
Enclave interface functions can be divided into Enclave Calls (ECALLs) and Outside Calls (OCALLs).
- ECALL: A call from the application into an interface function within the enclave, which is defined as a trusted environment.
- OCALL: A call made from within the enclave to the application, which is defined as an untrusted environment.
// Add your definition of "secret_t" here
public void get_secret([out] secret_t* secret);
// This OCALL is for illustration purposes only.
// It should not be used in a real enclave,
// unless it is during the development phase
// for debugging purposes.
void dump_secret([in] const secret_t* secret);
You can install SGX using the installer file or source code including the SGX driver, SGX Platform Software (PSW), and SDK. For either method, you must install corresponding Linux kernel header files.
Note: The default directory for the Makefile in the example is
Download the source code from GitHub.
To compile the source code, follow the steps described in the README.md file.