SGX
Intel Software Guard Extensions.
GPRs
General purpose registers.
64-bit integers / pointers
RAX | RBX | RCX | RDX |
RSI | RDI | RBP | RSP |
R8 | R9 | R10 | R11 |
R12 | R13 | R14 | R15 |
64-bit special-purse registers |
---|
RIP - instruction pointer |
RSP - stack pointer |
RFLAGS - status / control bits |
CS | code segment |
DS | data segment |
ES | extra segment determined by the programmer |
SS | stack segment |
FS | 64-bit FS base |
GS | 64-bit GS base |
FS and GX registers store segments covering thread-local-storage.
The registers FS and GS are segment registers. They have no processor-defined purpose, but instead are given purpose by the OS’s running them. In Windows 64-bit the GS register is used to point to operating system defined structures. FS and GS are commonly used by OS kernels to access thread-specific memory. In windows, the GS register is used to manage thread-specific memory. The linux kernel uses GS to access cpu-specific memory
Feature | Registers | XCR0 bit |
---|---|---|
FPU | FP0 - FP7, FSW, FTW | 0 |
SSE | MM0 - MM7, XMM0 - XMM15, XMCSR | 1 |
AVX | YMM0 - YMM15 | 2 |
MPX | BND0 - BND 3 | 3 |
MPX | BNDCFGU, BNDSTATUS | 4 |
AVX-512 | K0 - K7 | 5 |
AVX-512 | ZMM0_H - ZMM15_H | 6 |
AVX-512 | ZMM16 - ZMM31 | 7 |
PK | PKRU | 9 |
RFBM
requested-feature bitmap: The XSAVE instruction takes in a RFBM, and writes the registers used by the features whose RFBM bits are set to 1 in a memory.
RPL
Requested privilege level (rings 0 and 3)
TLS
Thread Local Storage.
GDT 2.7
Global Descriptor Table
TR 2.7
Task Register
TSS 2.7
Task State Segment
IST 2.7
Interrupt Stack Table
PRM 5.1
Processor Reserved Memory(PRM), which is a submit of DRAM that cannot be directly accessed by other software, including system software and SMM code.
SMM
System Management Mode (SMM, sometimes called ring -2 in reference to protection rings) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer’s firmware, or a hardware-assisted debugger, is then executed with high privileges.
SDM 5
Intel’s Software Developer Manual
PRMRR 5.1
Processor Reserved Memory(PRM) range registers.
EPC 5.1
The Enclave Page Cache, which is a submit of the PRM.
The Enclave Page Cache Map(EPCM)
The EPCM is an array with one entry per EPC page, so computing the address of a page’s EPCM only requires a bitwise shift operation and an addition.
PT 5.1
page type
PT_REG
Regular type of PT, this page store an enclave’s code and data.
PT_SECS
SECS: The SGX Enclave Control Structures. An enclave’s identity is almost synonymous to its SECS. SDM states that each enclave’s measurement is stored in its SECS.
ELRANGE
The Enclave Linear Address Range, which is used to map the code and the sensitive data stored in the enclave’s EPC pages. ELRANGE is specified using (the BASEADDR field) and a size (the SIZE) in the enclave’s SECS.
SGX Enclave Attributes
The execution environment of an enclave is heavily influenced by the value of the ATTRIBUTES fields in the enclaves’s SECS.
Field | Bits | Description |
---|---|---|
DEBUG | 1 | Opts into enclave debugging features. |
XFRM | 64 | The value of XCR0 (a register in CPU) while this enclave’s code is executed. |
MPX – Memory Protection Extensions(
Memory Protection Extensions. Having XFRM be explicitly specified allows Intel to design new architectural extensions that change the semantics of existing instructions, such as Memory Protection Extensions(MPX).
TCS – Tread Control Structure.
PT_TCS
Each TCS is stored in a dedicated EPC page whose EPCM entry type is PT_TCS.
OENTRY, OFSBASGX, OGSBASGX
The architectural fields in the TCS lay out the context switches performed by a logical processor when it transitions between executing non-enclave and enclave code.
For example, the OENTRY field specified the value loaded in the instruction pointer(RIP) when the TCS is used to start executing enclave code. The OFSBASGX and OGSBASGX field specify the base address loaded in the FS and GS segment registers, which typically point to Thread Local Storage.
SSA – State Save Area
In the SGX design, the area used to store an enclave thread’s execution context while a hardware exception is handled is called a State Save Area(SSA)
OSSA, NSSA
Each TCS references a contiguous sequence of SSAs. The offset of the SSA array(OSSA) field specifies the location of the first SSA in the enclave’s virtual address space. The number of SSAs(NSSA) field indicates the number of available SSAs.
SSAFRAMESIZE
Each SSA starts at the beginning of an EPC page, and uses up the number of EPC pages that is specified in the SSAFRAMESIZE field of the enclaves’s SECS.
*ECREATE
ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software.
VMCS – Virtual Machine Control Structure
PF – page fault
GP – general protection fault.
EADD
The system software can use EADD instructions to load the initial code and data into the enclave. EADD is used to create both TCS pages and regular pages.
PAGEINFOR
EADD reads its input data from a Page Information(PAGEINFO). structure.
PAGEINFO |
---|
SECS |
LINADDR |
SRCPGE |
SECINFO |
The SECINFO field in the PAGEINFO structure is actually a virtual memory address, and points to a Security Information(SECINFO) structure. The SECINFO structure contains the newly allocated EPC pages’s access permissions(R, W, X) and its EPCM page type(PT_REG or PT_TCS).
LE
After loading the initial code and data pages into the enclave, the system software must use a Launch Enclave(LE) to obtain an EINIT Token Structures.
The LE is a privileged enclave provided by Intel, and is a prerequisite for the use of enclaves authored by parties other than Intel.LE is cryptographically signed with a special Intel key that is hard-coded into the SGX implementation, and that causes EINIT to initialize the LE without checking for a valid EINIT Token Structure.
Once INIT is set to true, EADD cannot be invoked on that enclave anymore, so the system software must load all pages that make up the enclaves’s initial state before execution the EINIT instruction.
EENTER
ENTER performs a controlled jump into enclave code.
#UD – undefined instruction
EENTRE can only be executed by unprivileged application software running at ring 3, and result in an undefined instruction(#UD) fault if it is executed by system software.
PEBS – Precise Event Based Sampling
When EENTER enters enclave mode, it suspends some of the processor’s debugging features, such as hardware breakpoints and Precise Event Based Sampling(PEBS).
EEXIT – Synchronous Enclave Exit
AEX – Asynchronous Enclave Exit
If a hardware exception occurs while a logical processor is in enclave mode, the processor is taken out of enclave mode using an Asynchronous Enclave Exit(AEX).
AEP – Asynchronous Exit handler Pointer
WEB, ELDU,ELDB
The system software evicts an EPC page using the EWB instruction, which produces all data needed to store the evicted page at a later time via the ELDU or ELDB instruction. The only difference between ELDU and ELDB is that the latter sets the BLOCKED bit in the page’s EPCM entry, whereas the former leaves it cleared.
TLB – Translation look-aside buffer
All memory accesses issued by a CPU core use virtual addresses, which must undergo translation. Address translation requires up to 20 memory accesses. Instead, address translation results are cached in the translation look-aside buffer.
IPI – Inter-Processor Interrupt
ETRACK
After all desired pages have been blocked, the OS kernel must execute an ETRACK instruction, which directs the SGX implementation to keep track of which logical processors have had their TLBs flushed. If the OS wishes to evict a batch of EPC pages belonging to multiple enclaves, it must issue an ETRACK for each enclave.
VA – Version Array
page version
When EWB evicts the contents of an EPC, it creates an 8-byte nonce that Intel’s documentation calls a page version. SGX’s freshness guarantees are built on the assumption that nonces are stored securely, so EWB stores the nonce that it creates inside a Version Array(VA).
Version Arrays are EPC pages that are dedicated to storing nonces generated by EWB. Each VA is divided into slots, and each slot is exactly large enough to store one nonce.
Nonce
Freshness guarantees are typically built on top of a system that already offers guarantees, by adding a unique piece of information to each message. A popular solution for gaining freshness guarantees relies on nonces, single-use random numbers. Nonces are often combined with a message time-stamping and expiration scheme.
EPA
VA pages are allocated using the EPA instruction, which takes in the virtual address of a free EPC page, and turn it into a Version Array with empty slots. VA pages are identified by the PT_VA type in their EPCM entries,
PCMD – Page Crypto Metadata structure
PCMD |
---|
SECINFO – Security Information |
EID – enclave |
VPN – Virtual page number
Eviction Trees
An evicted page depends on the VA page storing its nonce, and cannot be loaded back into the EPC until the VA page is reloaded as well. The dependency graph created by this relationship is a forest of eviction tree.
SGX Enclave Measurement
The measurement of an SGX enclave is obtained by computing a secure hash over the inputs to the ECREATE, EADD, and EEXTEND instructions used to create the enclave and load the initial code and data into its memory. EINIT finalizes the hash that represents the enclaves’s measurement.
SGX uses the 256-bit SHA-2 secure hash function to compute its measurements. SHA-2 is a block hash function that operates on 64-bit blocks, uses a 32-byte internal state, and produces a 32-byte output. Each enclave’s measurement is stored in the MRENCLAVE field of the enclave’s SECS. The 32-byte field stores the internal state and final output of the 256-bit SHA-2 secure hash functions.
Measuring ECREATE
64-byte block extended into MRENCLAVE by ECREATE
OFFSET | SIZE | Description |
---|---|---|
0 | 8 | “ECREATE\0” |
8 | 8 | SECS.SSAFRAMESIZE |
16 | 8 | SECS.SIZE |
32 | 32 | 32 zero(0) bytes |
Measuring Enclave Attributes
The enclave’s measurement does not include the enclave attributes. Instead, it is included directly in the information that is covered by the attestation signature.
** Measuring EADD **
64-byte block extended into MRENCLAVE by EADD
Table 5.5: 64-byte blocks extended into MRENCLAVE by EADD. THE ENCLAVEOFFSET is computed by substracting the BASEADDR in the enclave’s SECS from the LINADDR field in the PAGEINFO structure.
OFFSET | SIZE | Description |
---|---|---|
0 | 8 | “EADD\0\0\0\0” |
8 | 8 | ENCLAVEOFFSET |
16 | 48 | SECINFO )(first 48 bytes) |
** Measuring EEXTEND **
The EEXTEND instruction exists solely for the reason of measuring data loaded inside the enclave’s EPC pages.
Table 5.6: 64-byte blocks extended into MRENCLAVE by EXTENDED. THE ENCLAVEOFFSET is computed by substracting the BASEADDR in the enclave’s SECS from the LINADDR field in the PAGEINFO structure.
OFFSET | SIZE | Description |
---|---|---|
0 | 8 | “EEXTEND\0” |
8 | 8 | ENCLAVEOFFSET |
16 | 48 | 48 zero (0) bytes |
64 | 64 | bytes 0 - 64 in the chunk |
128 | 64 | bytes 64 - 128 in the chunk |
192 | 64 | bytes 128 - 192 in the chunk |
256 | 64 | bytes 192 - 256 in the chunk |
** Measuring EINIT **
The EINIT instruction concludes the enclave building process. After EINIT is successfully invoked on an enclave, the enclave’s contents are “sealed”, meaning that the system software cannot use the EADD instruction to load code and data into the enclave, and cannot use the EEXTEND instruction to update the enclave’s measurement.
Field | Bytes | Description |
---|---|---|
ENCLAVEHASH | 32 | Must equal the enclave’s measurement |
ISVIPRODID | 32 | Differentiates modules signed by the same public key |
ISVSVN | 32 | Differentiates versions of the same module |
VENDOR | 4 | Differentiates Intel enclaves |
ATTRIBUTES | 16 | Contrains the enclave’s attributes |
ATTRIBUTEMASK | 16 | Constrains the enclave’s attributes |
The format of the RSA signature used in a SIGSTRUCT enclave certificate.
Field | Bytes | Description |
---|---|---|
MODULUS | 384 | RSA key modulus |
EXPONENT | 4 | RSA key public exponent |
SIGNATURE | 384 | RSA signature |
Q1 | 384 | Simplified RSA signature verification |
Q2 | 384 | Simplified RSA signature verification |
ISVPRODID
ISVSVN
The modulus of the RSA key used to sign the certificate(MODULUS), the enclave’s product ID (ISVPRODID) and the security version number(ISVSVN).
MRSIGNER
MRENCLAVE
SGX does not use the entire modulus of a key, but rather a 256-bit SHA-2 hash of the modulus. This is called a signer measurement(MRSIGNER), to parallel the name of enclave measurement(MRENCLAVE) for the SHA-2 hash that identifies an enclave’s contents.
SVN – Security version numbers
The SGX design disallows the migration of secrets from an enclave with a higher SVN to an enclave with a lower SVN. A software module’s SVN should only be incremented when a security vulnerability is found. The SIGSTRUCT only allocates 2 bytes to the ISVSVN field, which translates to 65,536 possible SVN values.
The SGX implementation itself has a security version number (CPUSVN), which is used in the key derivation process implemented by EGETKEY, in addition to the enclave’s identity information. CPUSVN is a 128-bit value that, according to the SDM, reflects the processor’s microcode update version.
An SGX patent discloses that CPUSVN is a concatenation of small integers representing the SVNs of the various components that make up SGX’s implementation.
A subset of the fields in the KEYREQUEST structure
Field | Bytes | Description |
---|---|---|
KEYNAME | 2 | The desired key type; secret migration uses Seal keys |
KEYPOLICY | 2 | The identity information (MRENCLAVE and/or MRSIGNER) |
ISVSVN | 2 | The enclave SVN used in derivation |
CPUSVN | 16 | T/he enclave SVN used in derivation |
ATTRIBUTEMASK | 16 | SGX implementation SVN used in derivation |
KEYID | 32 | Random bytes |
TPM – Trusted Platform Module
Quoting Enclave
The cryptographic primitive used in SGX’s attestation signature is too complex to be implemented in hardware, so the signing process is performed by a privileged Quoting Enclave, which is issued by Intel, and can access the SGX attestation key.
TARGETINFO – Report Target Info
EREPORT requires the virtual address of a Report Target Info structure that contains the measurement-based identity and attributes of the target enclave.
Provisioning Secret
Seal Secret
During the manufacturing process, an SGX-enabled processor communicates with Intel’s key generation facility, and has two secrets burned into e-fuses, which are a one-time programmable storage medium that ban be economically included on a high-performance chip’s die. We shall refer to the secrets stored in e-fuses as the Provisioning Secret and the Seal Secret.
EPID
The Attestation Key uses Intel’s Enhanced Privacy ID (EPID) cryptosystem, which is a group signature scheme that is intended to preserve the anonymity of the signers.
NB
EPID name based(NB) Quotes only leave the platform encrypted with an Intel public key.
LE – Launch Enclave
Launch Enclave is an enclave issued by Intel that gets to approve every other enclave before it is initialized by EINIT. The SGX design requires that all enclaves be vetted by a Launch Enclave.
SP – Service Provider
TRS – Tamper Resistant Software
ADD – Additional Authentication Data (AAD)
DRNG – Digital Random Number Generator
PRNG – Pseudo-Random Number Generator
RDRAND – 是一个计算机指令,用于从芯片上的硬件随机数生成器中获取随机数。
ASLR – Address Space Layout Randomization
uRTS – untrusted runtime
PS – Platform service
SGX Quote
Data Structure used to provide proof to an off-platform entity that an application enclave is running with Intel SGX protections on a trusted Intel SGX enabled platform.
Quoting Enclave(QE)
Signed enclave trusted by the attestation infrastructure owner to sign and issue Quotes or attestations about other enclaves,
Attestation Key (AK)
Key used by the Quoting Enclave(QE) to sign Quotes that describe the measurements and identity of an application enclave.
Provisioning Certification Enclave(PCE)
Intel SGX architectural enclave that uses a Provisioning Certification Key(PCK) to sign QE REPORT structures for Provisioning or Quoting Enclaves. These signed REPORTS contain the ReportData indicating that attestation keys or provisioning protocol messages are created on genuine hardware.
Provisioning Certification Key(PCK)
Signing key available to the Provisioning Certification Enclave for signing certificate-like QE REPORT structures. The key is unique to a processor package or platform instance, the HW TCB, the HW TCB, and the PCE version(PSVN).
PEM: The Internet Privacy Enhanced Mail(PEM)