background image

Vol. 3D 37-1

INTRODUCTION TO INTEL® SOFTWARE GUARD EXTENSIONS

CHAPTER 37

INTRODUCTION TO INTEL® SOFTWARE GUARD EXTENSIONS

37.1 OVERVIEW

Intel

®

 Software Guard Extensions (Intel

® 

SGX) is a set of instructions and mechanisms for memory accesses 

added to Intel

®

 Architecture processors. Intel SGX can encompass two collections of instruction extensions, 

referred to as SGX1 and SGX2, see Table 37-4. The SGX1 extensions allow an application to instantiate a protected 
container, referred to as an enclave. An enclave is a protected area in the application’s address space (see 
Figure 37-1), which provides confidentiality and integrity even in the presence of privileged malware. Accesses to 
the enclave memory area from any software not resident in the enclave are prevented. The SGX2 extensions allow 
additional flexibility in runtime management of enclave resources and thread execution within an enclave.
Chapter 38 covers main concepts, objects and data structure formats that interact within the Intel SGX architec-
ture. Chapter 39 covers operational aspects ranging from preparing an enclave, transferring control to enclave 
code, and programming considerations for the enclave code and system software providing support for enclave 
execution. Chapter 40 describes the behavior of Asynchronous Enclave Exit (AEX) caused by events while 
executing enclave code. Chapter 41 covers the syntax and operational details of the instruction and associated leaf 
functions available in Intel SGX. Chapter 42 describes interaction of various aspects of IA32 and Intel

®

 64 archi-

tectures with Intel SGX. Chapter 43 covers Intel SGX support for application debug, profiling and performance 
monitoring.

37.2 

ENCLAVE INTERACTION AND PROTECTION

Intel SGX allows the protected portion of an application to be distributed in the clear. Before the enclave is built, the 
enclave code and data are free for inspection and analysis. The protected portion is loaded into an enclave where 
its code and data is measured. Once the application’s protected portion of the code and data are loaded into an 
enclave, it is protected against external software access. An enclave can prove its identity to a remote party and 
provide the necessary building-blocks for secure provisioning of keys and credentials. The application can also 
request an enclave-specific and platform-specific key that it can use to protect keys and data that it wishes to store 
outside the enclave.

1

Figure 37-1.  An Enclave Within the Application’s Virtual Address Space

1. For additional information, see white papers on Intel SGX at http://software.intel.com/en-us/intel-isa-extensions.

OS

App Code

App Code

Entry Table

Enclave

Enclave Heap

Enclave Stack

Enclave Code