Shulou(Shulou.com)06/02 Report--

This article is about how CPU protects your data and privacy from malicious code. The editor thought it was very practical, so I shared it with you as a reference. Let's follow the editor and have a look.

Introduction to Intel SGX

Intel SGX (Intel Software Guard Extension) is an extension of Intel instruction set architecture. SGX provides you with an Enclave, an encrypted and trusted execution area in memory, where CPU protects your data and privacy from malicious code.

Principle

SGX uses the new processor instructions to allocate a part of the area EPC (Enclave Page Cache) in memory and encrypts the data through the encryption engine MEE (Memory Encryption Engine) in CPU. The encrypted content in EPC will be decrypted into plaintext only after entering CPU. Therefore, in SGX, you can distrust the operating system, VMM, or even BIOS, and just trust CPU to ensure that private data is not leaked.

Application

In practical application, you can encrypt the private data and pass it to the circle on the cloud in the form of ciphertext, and pass the corresponding secret key to the circle through remote proof. Then use the data to operate under the encryption protection of CPU, and the result will be returned to you in ciphertext. In this mode, you can take advantage of the powerful computing power of cloud computing without worrying about data leakage.

EDL (Enclave Definition Language)

EDL is the core of SGX programming, in which all the functions of reading, writing and processing data are defined. In the compilation phase, the Edger8r tool provided by SDK will generate bridging functions of perimeter and ordinary memory according to the functions defined in EDL, and do corresponding security checks.

Functions are divided into trust functions (ecall) and untrusted functions (ocall):

Ecall: defined in the trust zone (trusted), called outside the ring, and executed inside the circle.

Ocall: defined in an untrusted zone (untrusted), called within the perimeter, and executed outside the enclosure.

/ / demo.edlenclave {/ / Add your definition of "secret_t" here trusted {public void get_secret ([out] secret_t* secret);}; untrusted {/ / This OCALL is for illustration purposes only. / / It should not be used in a real enclave, / / unless it is during the development phase / / for debugging purposes. Void dump_secret ([in] const secret_t* secret);}

Install SGX

You can install SGX from installation files or source code, including drivers, PSW, SDK, and so on. Both installation methods require the installation of the header file for the corresponding Linux kernel version.

Thank you for reading! So much for the method of protecting your data and privacy from malicious code by CPU. I hope the above content can be helpful to you so that you can learn more. If you think the article is good, you can share it and let more people see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.