SGX Detail
SGX Detail
Suncicie 2017.12.18
Words
Enclave
isolated region of code and data within an application’s address space. Only code executing within the
enclave can access data within the same enclave.
Measurement
a cryptographic hash of the code and
data in an enclave at the time it is initialized.
Attestation
the mechanism by which an enclave on
one platform proves to a remote entity, that it was instantiated
correctly.
ECREATE
Allocates a region of virtual memory within
the application for hosting the secure code and data.
EADD
Critical code and data pages are added to the
enclave using EADD.
EEXTEND
Updates the measurement of the enclave to
include the code or data added in EADD.
EINIT
Locks down the contents of the enclave and
ensures that only the code within the enclave has access to
the data regions in the same enclave
How to protect ?
Whenever enclave data leaves the on-package
caches to be written to platform memory, the data is
automatically encrypted and integrity protected
Attestation
SGX uses two related credentials for attestation:
reports and quotes. A report is used to verify the correctness of
enclaves on the local platform, and a quote can be used to reflect
platform and enclave state to entities outside of the platform
Operating
- The keys used for SGX enclaves are generated by the new instruction ‘EGETKEY’. The key is a combination of three factors.
- First are the SGX Security Version Numbers, in which ‘Some of the version numbers indicate the patch level of the relevant phases of the processor boot up and system operations that affect the identity of the SGX instructions’ [3].
- Second is the device ID, which is a 128-bit unique number tied to the processor.
- The last is the ‘Owner Epoch’, which gives the owner the ability to add some more entropy to the keys
- The new instruction ‘EREPORT’ creates a cryptographic report about an enclave which a remote machine will be able to examine to see if it was generated by SGX
- 涉及一个虚拟空间的转换 The enclave executes within an application’s virtual address space.
An enclave is a subset of that address space.
create enclave
- initialization of enclave control structure, allocation of EPC pages (ECREATE)
- ECREATE starts the enclave creation process and initializes the SGX Enclave Control Structure (SECS) which contains global information about the enclave
- As part of ECREATE, system software selects which EPC page to be made an SECS and specifies several attributes of the enclave including the range of protected addresses the enclave can access, the mode of operation (32bit vs 64 bit), processor features supported by the enclave, and finally whether debug access is allowed.(Ecreate命令进行初始化话,对SECS进行初始化初始化的时候确定一些属性,包括Enclave可以访问的那些被保护的地址,Enclave操作的特征,和具备哪些调试功能)
- loading of enclave content into the pages, measurement of the enclave contents (EADD)
- EADD commits EPC pages to an
enclave and records the commitment but not the contents in the
SECS.
- EADD commits EPC pages to an
- finally establishing the enclave identity( EEXTEND, and EINIT)
- After a page has been added to an enclave, software can measure a 256 byte region as determined by the developer by invoking EEXTEND
- ==Each invocation of
EEXTEND adds to the cryptographic log==, a header indicating which region is being measured followed by the 256 bytes of information.
- EExtend 用来measure a 256byte region,然后会加入一个cryptographic的log
- EINIT completes the creation process which
finalizes the enclave measurement and ==establishes the enclave identity(init的作用)==. Until an EINIT is executed, enclave entry is notpermitted
- Correct construction
results in the cryptographic log matching the one built by the
enclave owner in SIGSTRUCT. (cryptographic log 后面会用来跟 Enclave owner做匹配来验证身份)
Init Enclave
- Verifies that SIGSTRUCT is signed using the public key enclosed in the SIGSTRUCT
(Init 感觉几乎是用来创建一个Enclave的身份ID的,已保证它的安全环境) EINIT establishes the sealing identity using the following
steps:- Verifies that SIGSTRUCT is signed using the public key
enclosed in the SIGSTRUCT(先验证PK签名) - Checks that measurement of the enclave matches the measurement of the enclave specified in SIGSTRUCT(再验证的measuremengt是否跟签名里的measurement一样)
- Checks that the enclave’s attributes are compatible with those
specified in SIGSTRUCT(验证enclave里面的一些属性) - Finalizes the measurement of the enclave and records the sealing identity and enclave identity (the sealing authority, product id and security version number) in the SECS
- Verifies that SIGSTRUCT is signed using the public key
The initialization process finalizes the
cryptographic log and establishes the enclave identity and sealing identity used by EGETKEY and EREPORT.
Enclave entry and exiting
- Enclave完整性通过entry 和 exiting 来控制
- Exiting an
enclave must again clear any cached translations referring to the
enclave’s protected address region so that no other software can
use the cached translations to access the enclave’s protected
memory.(进出Enclave都需要清除cached translations信息) - When enclave exit occurs due to an event, the processor
invokes a special internal routine called Asynchronous Exit (AEX)
which saves the enclave register state, clears the registers, sets the
faulting instruction address to a value specified by EENTER. The
ERESUME instruction restores the state back to allow the enclave
to resume execution.(异常时同样通过不同于普通的entry 和 exit 来保护安全)
Synchronous Entry and Exit
- . To execute EENTER, software must supply an
address of a TCS that is part of the enclave to be entered. The TCS
indicates the location inside the enclave to transfer control and
where inside the enclave AEX should store the register state. (TCS 作为Enclave enter 的一部分,它只是了Enclave的位置以传送控制指令,和AEX保存寄存器状态)
Asynchronous Exit (AEX)
- 一般意外或者中断的时候会出现异步的问题
- The process of
securely saving state and establishing the synthetic state is called
an Asynchronous Enclave Exit (AEX). - fter AEX has completed, the logical processor is no longer
in enclave mode and the exiting event is processed normally. (当完成异步退出后,processor恢复正常)
Resuming Execution after AEX
- Unlike EENTER, ERESUME
restores registers and returns control to where execution was
interrupted(所以一般要在程序里写好异常处理,不然exception退出后resume又会到异常)
EPC paging
- The contents of the evicted enclave page must be encrypted
before being written out to main memory(被驱逐出的内容必须要被加密,会放在主存里面) - When evicted enclave page is reloaded into EPC it must have
identical page type, permissions, virtual address, content, and
be associated to the same enclave as at the time of eviction(一些重新加载page的细节,跟计算机组成原理中页面置换相似)
Preparing an enclave page for eviction
- Once an EPC page has been marked as BLOCKED,
the processor prevents any new Translation Lookaside Buffer,
TLB, entries that map that EPC page from being created.(被evitced前要先被标记,被标记BLOCKED的处理器会阻止新的entries进入)
Evicting the enclave page
- System software uses EWB to evict an enclave page that has been prepared for eviction (blocked and no TLB entries referring to the page)(EWB 置换页面命令)
- Assigning a unique version value for the page and recording it in the VA page entry allocated by the system software
- Encrypting the EPC page using the paging encryption key
- Computing a cryptographic MAC over the encrypted page
contents, version counter and the additional metadata for the EPC page - Writing out the encrypted page contents and the metadata
along with the computed MAC to the main memory buffers
passed to the EWB instruction as parameters
The system software must retain the encrypted page
contents, the metadata and the VA entry with this EPC page in
order to reload it back into EPC
(整个过程将内容和相关数据加密后存在主存,用VA记录,并且保证了下次能找到)
Reloading an evicted page
- System software uses ELDU or ELDB to reload an evicted enclave page into the EPC
- The ELDU/ELDB instructions reload the enclave page using
below steps:
- Copy the encrypted enclave page contents to the allocated
EPC page - Verify the MAC on the metadata, version counter from the
specified VA entry and encrypted enclave page contents - If verification succeeds, decrypt the enclave page contents
into the EPC page allocated by system software and clear the
VA entry to prevent any future replay attempts - Update the EPCM associated with the EPC page with the
attributes from the metadata
(用ELDU加载进去密文,然后验证无误后解密)
- Copy the encrypted enclave page contents to the allocated
Data structure
EPCM
EPCM is a secure structure used by the processor to track
the contents of the EPC. The EPCM holds exactly one entry
for each page that is currently loaded into the EPC. EPCM
is not accessible by software, and the layout of EPCM fields
are implementation specific.
(追踪每个page,加密的software无法访问)
SIGSTRUCT
contains information about the enclave from the enclave signer, SIGSTRUCT includes ENCLAVEHASH as SHA256(直接用Enclave的hash作为签名)
EINT Token Structure (EINITTOKEN)
- The EINIT token is used by EINIT to verify that the enclave
is permitted to launch - Contains, for instance, attributes, hash and signer of the
enclave - Authenticated with a cryptographic MAC on EINITTOKEN
using Launch key
Report (REPORT)
- The REPORT structure is the output of the EREPORT instruction
- Attributes of the enclave
- Hash of the enclave
- Signer of the enclave
- A set of data used for communication between the enclave and the target
enclave - A CMAC on the report using report key
- 打包了一些身份验证的信息
Report Target Info (TARGETINFO)
- This structure is an input parameter to the EREPORT instruction. It is
used to identify the enclave which will be able to cryptographically
verify the REPORT structure returned by EREPORT - Contains attributes and hash of target enclave
- 作为EREPORT的输入,它用于识别能够加密验证EREPORT返回的REPORT结构的Enclave….what?
Key Request (KEYREQUEST)
- This structure is an input parameter to the EGETKEY instruction.
- It is used for selecting the appropriate key and any additional
parameters required in the derivation of that key - 用来生成秘钥和导出秘钥需要的参数