SGX 名称字典

  • SGX
    Intel Software Guard Extensions.

  • GPRs
    General purpose registers.

  • 64-bit integers / pointers

RAX RBX RCX RDX
RSI RDI RBP RSP
R8 R9 R10 R11
R12 R13 R14 R15
64-bit special-purse registers
RIP - instruction pointer
RSP - stack pointer
RFLAGS - status / control bits
  • ignored segment registers
CS code segment
DS data segment
ES extra segment determined by the programmer
SS stack segment
  • segment registers
FS 64-bit FS base
GS 64-bit GS base

FS and GX registers store segments covering thread-local-storage.
The registers FS and GS are segment registers. They have no processor-defined purpose, but instead are given purpose by the OS’s running them. In Windows 64-bit the GS register is used to point to operating system defined structures. FS and GS are commonly used by OS kernels to access thread-specific memory. In windows, the GS register is used to manage thread-specific memory. The linux kernel uses GS to access cpu-specific memory

  • RFLAGS register
    RFLAGS are individually used to store comparison results and control various instructions.
    Software may use other registers to interact with specific processor features, some of which are show in Table 2.1.
    Table 2.1: Sample feature-specific Intel architecture registers.
Feature Registers XCR0 bit
FPU FP0 - FP7, FSW, FTW 0
SSE MM0 - MM7, XMM0 - XMM15, XMCSR 1
AVX YMM0 - YMM15 2
MPX BND0 - BND 3 3
MPX BNDCFGU, BNDSTATUS 4
AVX-512 K0 - K7 5
AVX-512 ZMM0_H - ZMM15_H 6
AVX-512 ZMM16 - ZMM31 7
PK PKRU 9
  • RFBM
    requested-feature bitmap: The XSAVE instruction takes in a RFBM, and writes the registers used by the features whose RFBM bits are set to 1 in a memory.

  • RPL
    Requested privilege level (rings 0 and 3)

  • TLS
    Thread Local Storage.

  • GDT 2.7
    Global Descriptor Table

  • TR 2.7
    Task Register

  • TSS 2.7
    Task State Segment

  • IST 2.7
    Interrupt Stack Table

  • PRM 5.1
    Processor Reserved Memory(PRM), which is a submit of DRAM that cannot be directly accessed by other software, including system software and SMM code.

  • SMM
    System Management Mode (SMM, sometimes called ring -2 in reference to protection rings) is an operating mode of x86 central processor units (CPUs) in which all normal execution, including the operating system, is suspended. An alternate software system which usually resides in the computer’s firmware, or a hardware-assisted debugger, is then executed with high privileges.

  • SDM 5
    Intel’s Software Developer Manual

  • PRMRR 5.1
    Processor Reserved Memory(PRM) range registers.

  • EPC 5.1
    The Enclave Page Cache, which is a submit of the PRM.

  • The Enclave Page Cache Map(EPCM)
    The EPCM is an array with one entry per EPC page, so computing the address of a page’s EPCM only requires a bitwise shift operation and an addition.

  • PT 5.1
    page type

  • PT_REG
    Regular type of PT, this page store an enclave’s code and data.

  • PT_SECS
    SECS: The SGX Enclave Control Structures. An enclave’s identity is almost synonymous to its SECS. SDM states that each enclave’s measurement is stored in its SECS.

  • ELRANGE
    The Enclave Linear Address Range, which is used to map the code and the sensitive data stored in the enclave’s EPC pages. ELRANGE is specified using (the BASEADDR field) and a size (the SIZE) in the enclave’s SECS.

  • SGX Enclave Attributes
    The execution environment of an enclave is heavily influenced by the value of the ATTRIBUTES fields in the enclaves’s SECS.

Field Bits Description
DEBUG 1 Opts into enclave debugging features.
XFRM 64 The value of XCR0 (a register in CPU) while this enclave’s code is executed.
  • MPX – Memory Protection Extensions(
    Memory Protection Extensions. Having XFRM be explicitly specified allows Intel to design new architectural extensions that change the semantics of existing instructions, such as Memory Protection Extensions(MPX).

  • TCS – Tread Control Structure.

  • PT_TCS
    Each TCS is stored in a dedicated EPC page whose EPCM entry type is PT_TCS.

  • OENTRY, OFSBASGX, OGSBASGX
    The architectural fields in the TCS lay out the context switches performed by a logical processor when it transitions between executing non-enclave and enclave code.
    For example, the OENTRY field specified the value loaded in the instruction pointer(RIP) when the TCS is used to start executing enclave code. The OFSBASGX and OGSBASGX field specify the base address loaded in the FS and GS segment registers, which typically point to Thread Local Storage.

  • SSA – State Save Area
    In the SGX design, the area used to store an enclave thread’s execution context while a hardware exception is handled is called a State Save Area(SSA)

  • OSSA, NSSA
    Each TCS references a contiguous sequence of SSAs. The offset of the SSA array(OSSA) field specifies the location of the first SSA in the enclave’s virtual address space. The number of SSAs(NSSA) field indicates the number of available SSAs.

  • SSAFRAMESIZE
    Each SSA starts at the beginning of an EPC page, and uses up the number of EPC pages that is specified in the SSAFRAMESIZE field of the enclaves’s SECS.

*ECREATE
ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software.

  • VMCS – Virtual Machine Control Structure

  • PF – page fault

  • GP – general protection fault.

  • EADD
    The system software can use EADD instructions to load the initial code and data into the enclave. EADD is used to create both TCS pages and regular pages.

  • PAGEINFOR
    EADD reads its input data from a Page Information(PAGEINFO). structure.

PAGEINFO
SECS
LINADDR
SRCPGE
SECINFO
  • SRCPGE, LINADDR, SRCPAGE, SECINFO
    PAGEINFO structure contains the virtual address of the EPC page that will be allocated(LINADDR), the virtual address of the non-EPC page whose contents will be copied into the newly allocated EPC page(SRCPAGE), a virtual address that resolves to the SECS of the enclave that will own the page(SECS), and values for some of the fields of the EPCM entry associated with the newly allocated EPC page(SECINFO).

The SECINFO field in the PAGEINFO structure is actually a virtual memory address, and points to a Security Information(SECINFO) structure. The SECINFO structure contains the newly allocated EPC pages’s access permissions(R, W, X) and its EPCM page type(PT_REG or PT_TCS).

  • LE
    After loading the initial code and data pages into the enclave, the system software must use a Launch Enclave(LE) to obtain an EINIT Token Structures.
    The LE is a privileged enclave provided by Intel, and is a prerequisite for the use of enclaves authored by parties other than Intel.LE is cryptographically signed with a special Intel key that is hard-coded into the SGX implementation, and that causes EINIT to initialize the LE without checking for a valid EINIT Token Structure.
    Once INIT is set to true, EADD cannot be invoked on that enclave anymore, so the system software must load all pages that make up the enclaves’s initial state before execution the EINIT instruction.

  • EENTER
    ENTER performs a controlled jump into enclave code.

  • #UD – undefined instruction
    EENTRE can only be executed by unprivileged application software running at ring 3, and result in an undefined instruction(#UD) fault if it is executed by system software.

  • PEBS – Precise Event Based Sampling
    When EENTER enters enclave mode, it suspends some of the processor’s debugging features, such as hardware breakpoints and Precise Event Based Sampling(PEBS).

  • EEXIT – Synchronous Enclave Exit

  • AEX – Asynchronous Enclave Exit
    If a hardware exception occurs while a logical processor is in enclave mode, the processor is taken out of enclave mode using an Asynchronous Enclave Exit(AEX).

  • AEP – Asynchronous Exit handler Pointer

  • WEB, ELDU,ELDB
    The system software evicts an EPC page using the EWB instruction, which produces all data needed to store the evicted page at a later time via the ELDU or ELDB instruction. The only difference between ELDU and ELDB is that the latter sets the BLOCKED bit in the page’s EPCM entry, whereas the former leaves it cleared.

  • TLB – Translation look-aside buffer
    All memory accesses issued by a CPU core use virtual addresses, which must undergo translation. Address translation requires up to 20 memory accesses. Instead, address translation results are cached in the translation look-aside buffer.

  • IPI – Inter-Processor Interrupt

  • ETRACK
    After all desired pages have been blocked, the OS kernel must execute an ETRACK instruction, which directs the SGX implementation to keep track of which logical processors have had their TLBs flushed. If the OS wishes to evict a batch of EPC pages belonging to multiple enclaves, it must issue an ETRACK for each enclave.

  • VA – Version Array

  • page version
    When EWB evicts the contents of an EPC, it creates an 8-byte nonce that Intel’s documentation calls a page version. SGX’s freshness guarantees are built on the assumption that nonces are stored securely, so EWB stores the nonce that it creates inside a Version Array(VA).
    Version Arrays are EPC pages that are dedicated to storing nonces generated by EWB. Each VA is divided into slots, and each slot is exactly large enough to store one nonce.

  • Nonce
    Freshness guarantees are typically built on top of a system that already offers guarantees, by adding a unique piece of information to each message. A popular solution for gaining freshness guarantees relies on nonces, single-use random numbers. Nonces are often combined with a message time-stamping and expiration scheme.

  • EPA
    VA pages are allocated using the EPA instruction, which takes in the virtual address of a free EPC page, and turn it into a Version Array with empty slots. VA pages are identified by the PT_VA type in their EPCM entries,

  • PCMD – Page Crypto Metadata structure

PCMD
SECINFO – Security Information
EID – enclave
  • VPN – Virtual page number

  • Eviction Trees
    An evicted page depends on the VA page storing its nonce, and cannot be loaded back into the EPC until the VA page is reloaded as well. The dependency graph created by this relationship is a forest of eviction tree.

  • SGX Enclave Measurement
    The measurement of an SGX enclave is obtained by computing a secure hash over the inputs to the ECREATE, EADD, and EEXTEND instructions used to create the enclave and load the initial code and data into its memory. EINIT finalizes the hash that represents the enclaves’s measurement.
    SGX uses the 256-bit SHA-2 secure hash function to compute its measurements. SHA-2 is a block hash function that operates on 64-bit blocks, uses a 32-byte internal state, and produces a 32-byte output. Each enclave’s measurement is stored in the MRENCLAVE field of the enclave’s SECS. The 32-byte field stores the internal state and final output of the 256-bit SHA-2 secure hash functions.

    Measuring ECREATE

    64-byte block extended into MRENCLAVE by ECREATE

OFFSET SIZE Description
0 8 “ECREATE\0”
8 8 SECS.SSAFRAMESIZE
16 8 SECS.SIZE
32 32 32 zero(0) bytes

Measuring Enclave Attributes
The enclave’s measurement does not include the enclave attributes. Instead, it is included directly in the information that is covered by the attestation signature.

** Measuring EADD **

64-byte block extended into MRENCLAVE by EADD

Table 5.5: 64-byte blocks extended into MRENCLAVE by EADD. THE ENCLAVEOFFSET is computed by substracting the BASEADDR in the enclave’s SECS from the LINADDR field in the PAGEINFO structure.

OFFSET SIZE Description
0 8 “EADD\0\0\0\0”
8 8 ENCLAVEOFFSET
16 48 SECINFO )(first 48 bytes)

** Measuring EEXTEND **
The EEXTEND instruction exists solely for the reason of measuring data loaded inside the enclave’s EPC pages.

Table 5.6: 64-byte blocks extended into MRENCLAVE by EXTENDED. THE ENCLAVEOFFSET is computed by substracting the BASEADDR in the enclave’s SECS from the LINADDR field in the PAGEINFO structure.

OFFSET SIZE Description
0 8 “EEXTEND\0”
8 8 ENCLAVEOFFSET
16 48 48 zero (0) bytes
64 64 bytes 0 - 64 in the chunk
128 64 bytes 64 - 128 in the chunk
192 64 bytes 128 - 192 in the chunk
256 64 bytes 192 - 256 in the chunk

** Measuring EINIT **
The EINIT instruction concludes the enclave building process. After EINIT is successfully invoked on an enclave, the enclave’s contents are “sealed”, meaning that the system software cannot use the EADD instruction to load code and data into the enclave, and cannot use the EEXTEND instruction to update the enclave’s measurement.

SGX Enclave Versioning Support

  • SIGSTRUCT – Signature Structures
    The secret migration feature relies on a one-level certificate hierarchy, where each enclave author is a Certificate Authority, and each enclave receives a certificate from its author. These certificates must be formatted as Signature Structures.

Enclave Certificates

  • SIGSTRUCT – Signature Structures
  • The SGX implementation consumes certificates formatted as Signature Structures(SIGSTRUCT), which are intended to be generated by an enclave building toolchain.
Field Bytes Description
ENCLAVEHASH 32 Must equal the enclave’s measurement
ISVIPRODID 32 Differentiates modules signed by the same public key
ISVSVN 32 Differentiates versions of the same module
VENDOR 4 Differentiates Intel enclaves
ATTRIBUTES 16 Contrains the enclave’s attributes
ATTRIBUTEMASK 16 Constrains the enclave’s attributes

The format of the RSA signature used in a SIGSTRUCT enclave certificate.

Field Bytes Description
MODULUS 384 RSA key modulus
EXPONENT 4 RSA key public exponent
SIGNATURE 384 RSA signature
Q1 384 Simplified RSA signature verification
Q2 384 Simplified RSA signature verification

Certificate-Based Enclave Identity

  • ISVPRODID

  • ISVSVN
    The modulus of the RSA key used to sign the certificate(MODULUS), the enclave’s product ID (ISVPRODID) and the security version number(ISVSVN).

  • MRSIGNER

  • MRENCLAVE
    SGX does not use the entire modulus of a key, but rather a 256-bit SHA-2 hash of the modulus. This is called a signer measurement(MRSIGNER), to parallel the name of enclave measurement(MRENCLAVE) for the SHA-2 hash that identifies an enclave’s contents.

  • SVN – Security version numbers
    The SGX design disallows the migration of secrets from an enclave with a higher SVN to an enclave with a lower SVN. A software module’s SVN should only be incremented when a security vulnerability is found. The SIGSTRUCT only allocates 2 bytes to the ISVSVN field, which translates to 65,536 possible SVN values.

CPU Security Version Nunbers

The SGX implementation itself has a security version number (CPUSVN), which is used in the key derivation process implemented by EGETKEY, in addition to the enclave’s identity information. CPUSVN is a 128-bit value that, according to the SDM, reflects the processor’s microcode update version.
An SGX patent discloses that CPUSVN is a concatenation of small integers representing the SVNs of the various components that make up SGX’s implementation.

Establishing an Enclave’s Identity

  • VENDOR
    VENDOR is a filed in SIGSTRUCT. A VENDOR value of 0x8086 indicates that this is a special enclave signed by Intel, and the value of other enclaves is zero.

Enclave Key Derivation

  • KEYREQUEST – Key Request

A subset of the fields in the KEYREQUEST structure

Field Bytes Description
KEYNAME 2 The desired key type; secret migration uses Seal keys
KEYPOLICY 2 The identity information (MRENCLAVE and/or MRSIGNER)
ISVSVN 2 The enclave SVN used in derivation
CPUSVN 16 T/he enclave SVN used in derivation
ATTRIBUTEMASK 16 SGX implementation SVN used in derivation
KEYID 32 Random bytes
  • OWNEREPOCH
    The key derivation material always includes the value of a 128-bit Owner Epoch(OWNEREPOCH) SGX configuration register. This register is intended to be set by the computer’s firmware to a secret generated once and stored in a non-volatile memory.

SGX Software Attestation

  • TPM – Trusted Platform Module

  • Quoting Enclave
    The cryptographic primitive used in SGX’s attestation signature is too complex to be implemented in hardware, so the signing process is performed by a privileged Quoting Enclave, which is issued by Intel, and can access the SGX attestation key.

  • TARGETINFO – Report Target Info
    EREPORT requires the virtual address of a Report Target Info structure that contains the measurement-based identity and attributes of the target enclave.

Local Attestation

  • EREPORT – a attestation report
    An enclave proves its identity to another target enclave via the EREPORT instruction.

Remote Attestation

  • Provisioning Secret

  • Seal Secret
    During the manufacturing process, an SGX-enabled processor communicates with Intel’s key generation facility, and has two secrets burned into e-fuses, which are a one-time programmable storage medium that ban be economically included on a high-performance chip’s die. We shall refer to the secrets stored in e-fuses as the Provisioning Secret and the Seal Secret.

  • EPID
    The Attestation Key uses Intel’s Enhanced Privacy ID (EPID) cryptosystem, which is a group signature scheme that is intended to preserve the anonymity of the signers.

  • NB
    EPID name based(NB) Quotes only leave the platform encrypted with an Intel public key.

SGX Enclave Launch Control

  • LE – Launch Enclave
    Launch Enclave is an enclave issued by Intel that gets to approve every other enclave before it is initialized by EINIT. The SGX design requires that all enclaves be vetted by a Launch Enclave.

  • SP – Service Provider

  • TRS – Tamper Resistant Software

  • ADD – Additional Authentication Data (AAD)

  • DRNG – Digital Random Number Generator

  • PRNG – Pseudo-Random Number Generator

  • RDRAND – 是一个计算机指令,用于从芯片上的硬件随机数生成器中获取随机数。

  • ASLR – Address Space Layout Randomization

  • uRTS – untrusted runtime

  • PS – Platform service

Intel Software Guard Extensions(Intel SGX) Data Center Attestation Primitives: ECDSA Quote Library API

  • SGX Quote
    Data Structure used to provide proof to an off-platform entity that an application enclave is running with Intel SGX protections on a trusted Intel SGX enabled platform.

  • Quoting Enclave(QE)
    Signed enclave trusted by the attestation infrastructure owner to sign and issue Quotes or attestations about other enclaves,

  • Attestation Key (AK)
    Key used by the Quoting Enclave(QE) to sign Quotes that describe the measurements and identity of an application enclave.

  • Provisioning Certification Enclave(PCE)
    Intel SGX architectural enclave that uses a Provisioning Certification Key(PCK) to sign QE REPORT structures for Provisioning or Quoting Enclaves. These signed REPORTS contain the ReportData indicating that attestation keys or provisioning protocol messages are created on genuine hardware.

  • Provisioning Certification Key(PCK)
    Signing key available to the Provisioning Certification Enclave for signing certificate-like QE REPORT structures. The key is unique to a processor package or platform instance, the HW TCB, the HW TCB, and the PCE version(PSVN).

PEM: The Internet Privacy Enhanced Mail(PEM)

你可能感兴趣的:(sgx)