Intel SGX preliminary learning and understanding notes (continuously updated)

Some of the concepts  

• SGX（Software Guard eXtensions） Software protection extension ： It's a group. CPU Instruction extension , Can create a Trusted execution environment To protect code and data , Even using root Permissions are also inaccessible . Through this hardware facility , Applications can isolate code and data to achieve security , Mostly applied to Distributed systems in .SGX The implementation of requires a processor 、 Memory management unit 、BIOS、 The driver 、 The runtime environment and other software and hardware cooperate to complete . In addition to providing memory isolation and protection, security properties ,SGX The architecture also supports remote authentication and sealing , It can be used in the design of security software applications and interaction protocols .

•  sgx Overall memory abstraction model （ The figure below ）： Including memory management 、 Layout and organization .PRM（Preserved Random Memory） It's dynamic memory DRAM The middle paragraph is used for SGX The reserved area of , This continuous memory space is at the lowest BIOS Layer and cannot be accessed by any software .EPC（Enclave Page Cache） yes PRM The of loading application data and code assigned by the operating system in 4KB A collection of memory sizes .EPCM（EPC Metadata） It's maintenance EPC Entry address , And contains CPU track EPC Status table of memory page metadata . It ensures that every EPC（4kb page） By a Enclave exclusive .

  

• Trusted execution environment （TEE）：Trusted execution environment Abbreviation , Applied to secure intelligent devices , Secure payment and other fields . It is a safe area in the main processor . It runs in a separate environment and runs in parallel with the operating system . It ensures that TEE The confidentiality and integrity of the code and data loaded in are protected . Protect data and code by using both hardware and software , This parallel system is better than the traditional system ( namely REE, Rich execution environment ) More secure . stay TEE Trusted applications running in can access all the functions of the device's main processor and memory , Hardware isolation protects these components from the host operating system The impact of user installed applications running in .TEE Software and encryption isolation in protect different trusted applications from each other . It can safely handle private information such as password and private key , And ensure that the information will never be leaked to nodes or others , It can also prove that the data has not been tampered with .
• Distributed systems ： It is a group that communicates through the network 、 A system of computer nodes that coordinate work to accomplish common tasks . Distributed systems have emerged to use cheap 、 Ordinary machines do calculations that a single computer can't do 、 Storage tasks . The aim is to use more machines , Processing more data .

• Enclave： Is a protected content container , yes sgx Core technologies , It is used to store application sensitive data and code . When the part of the application that needs to be protected is loaded into enclave after , SGX Protect them from external software . be-all enclave They all reside in EPC(enclave page cache) in .

• EPC(enclave page cache)： This is a protected physical memory area in the system , For storage enclave and SGX data structure .EPC The layout is determined by the specific implementation of the platform , If CPU Support SGX Architecture and encryption protection DRAM (dynamic random access memory) To realize EPC, Then it supports BIOS Keep a paragraph called PRM(processor reserved memory) Memory range .BIOS Allocate by configuring a set of range registers PRM. Concrete PRM and EPC The layout is related to the platform . And depends on BIOS Set up .（ The following figure for PRM、EPC、Enclave Layout diagram ）

SGX

        SGX The protection method is to operate the legal software safely （ Code 、 Data etc. ） Packaged in a enclave in , Protect it from malware . And execute SGX The authority of is very high , No privileged or non privileged software can access enclave, in other words , Once the software and data are in enclave in , Even if the operating system administrator and VMM（Hypervisor） It can't affect enclave Code and data inside .Enclave The security boundary only contains CPU And it itself .

Host application virtual memory view （abort page That is to say prm Area ）

enclave Apply virtual memory view （Enclave Map to EPC The virtual memory of a page is called （enclave linear address range）ELRANGE）