Software Guard Extensions

The Software Guard Extensions ( Intel SGX ) are an extension of the x86 architecture to create so-called enclaves. These are areas within the address space of a process that are specially protected by the CPU and for which all direct access, including by privileged processes, is controlled or prevented by the CPU. The special protection of this storage area includes transparent storage encryption with integrity protection.

SGX was developed by Intel and introduced with the Skylake micro-architecture . To what extent a CPU supports the SGX instruction set extensions can be queried with the help of the CPUID instruction. In addition, firmware support (BIOS) is required, but only to declare a memory area in the RAM protected by SGX, which is then reported to the operating system via e820.

function

Programmers can use SGX to better protect their software from manipulation by checking digital signatures, among other things. Even on operating systems that have already been compromised, code can safely be executed. Software can still be executed in protected memory areas called enclaves, which are themselves protected from access by the operating system.

However, this requires a license and an "Attestation Key" from Intel, and according to the SGX concept, software running under it can neither be analyzed nor monitored.

Individual evidence

↑ Intel® 64 and IA-32 Architectures Software Developer's Manual. Accessed January 31, 2019 .
↑ Intel® Architecture Instruction Set Extensions and Future Features Programming Reference. Accessed January 31, 2019 .
↑ https://software.intel.com/en-us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx

[1] Intel® 64 and IA-32 Architectures Software Developer's Manual. Accessed January 31, 2019 .

[2] Intel® Architecture Instruction Set Extensions and Future Features Programming Reference. Accessed January 31, 2019 .

[3] ttps://software.intel.com/en-us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx