How can the CPU protect your data and privacy from being stolen by malicious code? Basic introduction to Intel SGX

This article brings you a basic introduction to Intel SGX. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

Basic introduction to Intel SGX

Intel SGX (Intel Software Guard Extension) is an extension of the Intel instruction set architecture. SGX provides you with an Enclave, an encrypted trusted execution area in memory, where the CPU protects your data and privacy from being stolen by malicious code.

Principle

SGX uses the new processor instructions to allocate a part of the area EPC (Enclave Page Cache) in the memory, through the CPU The encryption engine MEE (Memory Encryption Engine) encrypts the data in it. The encrypted content in EPC will not be decrypted into plaintext until it enters the CPU. Therefore, in SGX, you do not need to trust the operating system, VMM, or even BIOS. You only need to trust the CPU to ensure that private data will not be leaked.

Application

In actual application, you can encrypt the private data and transfer it to the circle on the cloud in the form of ciphertext, and The corresponding secret key is also transmitted to the circle through remote certification. The data is then used to perform calculations under the encryption protection of the CPU, and the results are returned to you in ciphertext. In this mode, you can take advantage of the powerful computing power of cloud computing without worrying about data leakage.

EDL (Enclave Definition Language)

EDL is the core of SGX programming, which defines all Functions for reading, writing, and processing data in the circle. During the compilation phase, the Edger8r tool provided by the SDK will generate the bridging function between the encirclement and ordinary memory based on the functions defined in the EDL, and perform corresponding security detection.

Functions are divided into trusted functions (ecall) and untrusted functions (ocall):

ecall: defined in the trusted area (trusted), called outside the circle, and within the circle implement.

ocall: defined in the untrusted area (untrusted), called within the circle, and executed outside the circle.

// demo.edl
enclave {
        // Add your definition of "secret_t" here
        trusted {
                 public void get_secret([out] secret_t* secret);
        };
        untrusted {
        // This OCALL is for illustration purposes only.
        // It should not be used in a real enclave,
        // unless it is during the development phase
        // for debugging purposes.
        void dump_secret([in] const secret_t* secret);
        };
};

Installing SGX

You can install SGX through the installation file or source code, including drivers, PSW and SDK, etc. Both installation methods require the installation of header files corresponding to the Linux kernel version.

The above is the detailed content of How can the CPU protect your data and privacy from being stolen by malicious code? Basic introduction to Intel SGX. For more information, please follow other related articles on the PHP Chinese website!