Shulou(Shulou.com)06/01 Report--

Hardware requirements: 6th generation processor and BIOS support.

For trusted computing, TrustZone,Intel similar to ARM also proposes its own security architecture SGX for x86 platform:

Intel ®Software Guard Extensions (Intel ®SGX)

Https://software.intel.com/zh-cn/sgx-sdk

SGX, whose full name is Intel Software Guard Extensions, is an extension of Intel Architecture (IA) to enhance the security of software. This method does not identify and isolate all malware on the platform, but encapsulates the security operation of legitimate software in an enclave to protect it from malware. Privileged or unprivileged software cannot access enclave, that is to say, once the software and data are in enclave, even the operating system or VMM (Hypervisor) cannot affect the code and data in enclave. The security boundary of Enclave contains only CPU and itself. The enclave created by SGX can also be understood as a trusted execution environment TEE (Trusted Execution Environment). However, it is a bit different from ARM TrustZone (TZ). TZ is divided into two isolated environments (secure world and normal world) through CPU, and the two communicate through SMC instructions; while a CPU in SGX can run multiple secure enclaves, and can also be executed concurrently.

The protection of SGX is for the address space of the application. Using the instructions provided by the processor, SGX divides a portion of the memory (EPC) and maps the Enclave in the application address space to this part of the memory. This part of the memory area is encrypted and is encrypted and translated by the memory control unit in CPU.

When the processor accesses data in Enclave, CPU automatically switches to a new CPU mode called enclave mode. Enclave mode forces additional hardware checks for each memory access. Because the data is placed in EPC, the contents of memory in EPC are encrypted by the memory encryption engine (MEE) to prevent known memory. The contents of memory in EPC are decrypted only when they enter CPU package; when they are returned, the memory of EPC is encrypted.

Enclave Page Cache (EPC) is an area of memory that retains encryption. The data code in Enclave must be executed in it. To execute a binary program in EPC, the SGX directive allows ordinary pages to be copied to EPC pages.

Focus on:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.