SlideShare une entreprise Scribd logo
1  sur  21
Télécharger pour lire hors ligne
FOR EXTERNAL USE – 12th September , 2017
LegalDisclaimersandNotices
No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document.
This document contains information on products, services and/or processes in development. All information provided here is subject
to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps.
The products described in this document may contain defects or errors known as errata which may cause the product to deviate from
published specifications. Current characterized errata are available on request.
Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to
Intel microprocessors. These optimizations include SSE2, SSE3, and SSE3 instruction sets and other optimizations. Intel does not
guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel.
Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not
specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference
Guides for more information regarding the specific instruction sets covered by this notice.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service
activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your
system manufacturer or retailer or learn more at intel.com.
Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
© 2017 Intel Corporation
2
3
Modern computing requires a capability to store secrets and
execute securely – a “Trusted Execution Environment” (TEE). This
need is increasing with new and more advanced threats in
computing.
1
2
3 SGX is the result of many years of research and builds on a
foundation of knowledge of bringing multiple security
technologies to market and includes solutions to a number of
very interesting challenges…
Intel® Software Guard Extensions (Intel® SGX) is Intel’s TEE for
client and data center. It provides the foundation for many secure
use cases.
Trusted Execution for all developers
Executivesummary
4
Intel®SoftwareGuardExtension(SGX)Analogy
Intel® SGX is analogous to a safe in your hotel room
• You can put a few things in it – wallet, watch, sensitive
documents, keys, etc., … not your entire house.
• If the hotel experiences a catastrophic event, like a fire, your
high value items are secure.
• Similar to one’s high value items, our digital life needs to be
secure.
• SGX existence safeguards identity, data, and browsing, making
your life easier and better.
• SGX utilizes a small amount of CPU memory to protect sensitive
application information.
Intel®SGXIntel SGXprovidesatrustedcomputingenclave(island)wheredataandapplicationsareprotectedindependentlyoftheoperatingsystemorhardware
configurationitself.
 Protects against SW attacks even if OS/drivers/
BIOS/VMM/SMM are compromised
 Smallest possible Trusted Compute Block (TCB)
 Secrets (data/keys/et al) remain protected
even when attacker has full control of platform
 Other technologies allow some privileged SW in their
boundary
 Prevents attacks like memory bus snooping,
memory tampering, and “cold boot” attacks
against memory contents in RAM
 Protection for hard-to-protect or unprotected spaces
 Provides hardware-based attestation
capabilities to measure and verify valid code
and data signatures
 Increases transparency and accountability
5
Cloud
Tenant
&
Data
Provider
Untrusted - CSP Environment
Trusted – Intel® SGX enclave
Protected
Application
Protected
Input Data
Secrets
Ex. SSN, City,
Credit Card
Number
Encrypted
Data
Encrypted
Results
SGX enabled
solutions can
provide protection
for workloads
running on devices
Services&
Practices
Solutions
FPGA
PC Client DataCenter
Vehicles
Storage
New
Devices
Comms
AI &
Machine
Learning
Ecosystem3
Developers
4
SiliconFoundation1
5
IoT
2
SGX @ Root of Trust
SGX Protects App Data & Content
SGX APIs & SDKs
Attestation
Identity, Data, Compute
Enablingtrustedcomputing@thesiliconrootoftrust
6
7
Academic papers
More than 125 (83 in
2017) academic papers
written on use cases
(and potential
vulnerabilities) for SGX
Intel Confidential
New use cases are
being termed as
“art of
possibilities”
®
9
Execution Isolation at the Application boundary1
2
3 Recovery from HW Issues
Attestation and Sealing at the Application boundary
KeyChallenges
10
Execution Isolation at the Application boundary1
2
3 Recovery from HW Issues
Attestation and Sealing at the Application boundary
KeyChallenges
ReducingtheAttackSurface
Hyper-focusedtrustboundary
Application gains ability to defend its own
secrets
 Memory protection model changed for NEW protected
region of memory (PRM)
 New instructions added to create smallest attack surface
Familiar IA Development and Debug
 SDK & Integrated Dev Environment enhancements
Scalable
 Main core performance
 All HW threads can used inside an enclave
 Protected memory can be securely paged
11
Attack surface for legacy platforms
Attack surface with Intel® SGX
Hardware
VMM
OS
App App App
1
Platform
12
SGXHigh-levelHardware/SoftwarePicture
EPC
M
EPC
SGX
Module
SGX User
Runtime
Enclave
New Kernel Level
Instructions
ECREATE
EADD
EEXTEND
EINIT
EBLOCK
SGX User
Runtime
Enclave
Hdw Data Structure
Hardware
Runtime
Application
OS Data structure
Application
Environment
Privileged
Environment
New Exposed
Hardware
New Application
Level Instructions
EEXIT
EGETKEY
EREPORT
EENTER
ERESUME
Page
tables
ETRACK
EWB
ELD
EPA
EREMOVE
1
13
SGXAccessControl
Traditional
IA Page Table
Checks
Enclave
Access?
Address
in EPC?
Address
in EPC?
Check
EPCM
Checks
Pass ?
Signal
Fault
No
Yes
No
Yes
No
Allow
Memory
Access
Replace
Address
With Abort
Page
Yes
No
Yes
Linear
Address
Physical
Address
Non-Enclave
Access
Enclave
Access
1
Jco3lks937weu0cwejpoi9987v80we
IncreasingPhysicalAttackProtection
1. Security perimeter is the CPU package
boundary
2. Data and code unencrypted inside CPU
package
3. Data and code outside CPU package is
encrypted and integrity checked
4. External memory reads and bus snoops
see only encrypted data
14
System
Memory
Snoop
Snoop
Cores
CacheAMEX: 3234-
134584-26864
INTEL CONFIDENTIAL
15
Execution Isolation at the Application boundary1
2
3 Recovery from HW Issues
Attestation and Sealing at the Application boundary
KeyChallenges
16
CriticalFeatures:AttestationandSealing
Remote Platform
Client Application
Enclave
Authenticated Channel
Intel



• App executes on local platform
• HW based Attestation provides remote platform
assurance that “this is the right app executing in the
right platform”
=>Remote platform can provision local platform
with secrets
• App can seal secrets to platform for future use
2
17
Execution Isolation at the Application boundary1
2
3 TCB Recovery
Attestation and Sealing to the Application boundary
KeyChallenges
TCBRecovery
TCB recovery is the process of being able to cryptographically demonstrate that
the TCB has been updated to fix a potential security issue
 First we issue all the HW component with a
“Security Version Number”
 This is used to derive a “TCB specific” key from the
HW key in the part.
 When a new update is issued all keys are derived
from a new TCB specific key.
 Note: this mechanism is cannot be modified as part of a TCB update itself.
3
Unverifiable Code Base
HW Key TCB KeyPRF
TCB SVN
19
DataMigration
But what about all the data sealed to an previous TCB key?
 A backwards loop is used to provide forward
secrecy, but allows “previous” TCB specific keys
to be retrieved
 This allows the CPU to continue to “go back” by
performing additional PRF’s
Unverifiable Code Base
Initial Key TCB KeyPRF
Derivation String
(usually a constant)
Temp
Loop (MAX-SVN) times
20
Execution Isolation at the Application boundary1
2
3 Recovery from HW Issues
Attestation and Sealing at the Application boundary
KeyChallengessoftware.intel.com/SGX
The site has the latest info on:
SDK & Developer Resources
White Papers
Support Forum
21

Contenu connexe

Tendances

OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELinaro
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protectionsShubham Dubey
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEELinaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
Who carries your container? Zun or Magnum?
Who carries your container? Zun or Magnum?Who carries your container? Zun or Magnum?
Who carries your container? Zun or Magnum?Madhuri Kumari
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Vietnam Open Infrastructure User Group
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 

Tendances (20)

Toolchain
ToolchainToolchain
Toolchain
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
LCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEELCU14-103: How to create and run Trusted Applications on OP-TEE
LCU14-103: How to create and run Trusted Applications on OP-TEE
 
Porting Android
Porting AndroidPorting Android
Porting Android
 
Summary of linux kernel security protections
Summary of linux kernel security protectionsSummary of linux kernel security protections
Summary of linux kernel security protections
 
RAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial TradecraftRAT - Repurposing Adversarial Tradecraft
RAT - Repurposing Adversarial Tradecraft
 
Container security
Container securityContainer security
Container security
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
Drive into calico architecture
Drive into calico architectureDrive into calico architecture
Drive into calico architecture
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
HKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEEHKG18-402 - Build secure key management services in OP-TEE
HKG18-402 - Build secure key management services in OP-TEE
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
 
Who carries your container? Zun or Magnum?
Who carries your container? Zun or Magnum?Who carries your container? Zun or Magnum?
Who carries your container? Zun or Magnum?
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
Xen Debugging
Xen DebuggingXen Debugging
Xen Debugging
 

Similaire à Intel software guard extension

Preparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of ThingsPreparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of ThingsIntel IoT
 
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...HPC DAY
 
Cloud computing security infrastructure
Cloud computing security   infrastructureCloud computing security   infrastructure
Cloud computing security infrastructureIntel IT Center
 
Cloud Security Secure Your Infrastructure
Cloud Security Secure Your InfrastructureCloud Security Secure Your Infrastructure
Cloud Security Secure Your Infrastructurexband
 
Re-Imagining the Data Center with Intel
Re-Imagining the Data Center with IntelRe-Imagining the Data Center with Intel
Re-Imagining the Data Center with IntelIntel IT Center
 
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP Programming
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP ProgrammingHetergeneous Compute with Standards Based OFI/MPI/OpenMP Programming
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP ProgrammingIntel® Software
 
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureDPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureJim St. Leger
 
Open security controller security orchestration for openstack
Open security controller security orchestration for openstackOpen security controller security orchestration for openstack
Open security controller security orchestration for openstackPriyanka Aash
 
Comguard expanding-portfolio
Comguard expanding-portfolioComguard expanding-portfolio
Comguard expanding-portfolioxband
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...Edge AI and Vision Alliance
 
Introduction to container networking in K8s - SDN/NFV London meetup
Introduction to container networking in K8s - SDN/NFV  London meetupIntroduction to container networking in K8s - SDN/NFV  London meetup
Introduction to container networking in K8s - SDN/NFV London meetupHaidee McMahon
 
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014StampedeCon
 
Accelerate Ceph performance via SPDK related techniques
Accelerate Ceph performance via SPDK related techniques Accelerate Ceph performance via SPDK related techniques
Accelerate Ceph performance via SPDK related techniques Ceph Community
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of SystemsJamal Jamali
 
How Intel Security Ensures Identity Protection - Infographic
How Intel Security Ensures Identity Protection - InfographicHow Intel Security Ensures Identity Protection - Infographic
How Intel Security Ensures Identity Protection - InfographicIntel IT Center
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 

Similaire à Intel software guard extension (20)

Intel_IoT_gateway.pdf
Intel_IoT_gateway.pdfIntel_IoT_gateway.pdf
Intel_IoT_gateway.pdf
 
Preparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of ThingsPreparing the Data Center for the Internet of Things
Preparing the Data Center for the Internet of Things
 
The Intel Xeon Scalable Processor and IoT
The Intel Xeon Scalable Processor and IoTThe Intel Xeon Scalable Processor and IoT
The Intel Xeon Scalable Processor and IoT
 
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...
HPC DAY 2017 | Accelerating tomorrow's HPC and AI workflows with Intel Archit...
 
Cloud computing security infrastructure
Cloud computing security   infrastructureCloud computing security   infrastructure
Cloud computing security infrastructure
 
Cloud Security Secure Your Infrastructure
Cloud Security Secure Your InfrastructureCloud Security Secure Your Infrastructure
Cloud Security Secure Your Infrastructure
 
Re-Imagining the Data Center with Intel
Re-Imagining the Data Center with IntelRe-Imagining the Data Center with Intel
Re-Imagining the Data Center with Intel
 
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP Programming
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP ProgrammingHetergeneous Compute with Standards Based OFI/MPI/OpenMP Programming
Hetergeneous Compute with Standards Based OFI/MPI/OpenMP Programming
 
Clear Linux OS - Introduction
Clear Linux OS - IntroductionClear Linux OS - Introduction
Clear Linux OS - Introduction
 
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel ArchitectureDPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
DPDK Summit - 08 Sept 2014 - Intel - Networking Workloads on Intel Architecture
 
Open security controller security orchestration for openstack
Open security controller security orchestration for openstackOpen security controller security orchestration for openstack
Open security controller security orchestration for openstack
 
Comguard expanding-portfolio
Comguard expanding-portfolioComguard expanding-portfolio
Comguard expanding-portfolio
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...
“Acceleration of Deep Learning Using OpenVINO: 3D Seismic Case Study,” a Pres...
 
Introduction to container networking in K8s - SDN/NFV London meetup
Introduction to container networking in K8s - SDN/NFV  London meetupIntroduction to container networking in K8s - SDN/NFV  London meetup
Introduction to container networking in K8s - SDN/NFV London meetup
 
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014
Intel’s Big Data and Hadoop Security Initiatives - StampedeCon 2014
 
Accelerate Ceph performance via SPDK related techniques
Accelerate Ceph performance via SPDK related techniques Accelerate Ceph performance via SPDK related techniques
Accelerate Ceph performance via SPDK related techniques
 
Hardwar based Security of Systems
Hardwar based Security of SystemsHardwar based Security of Systems
Hardwar based Security of Systems
 
How Intel Security Ensures Identity Protection - Infographic
How Intel Security Ensures Identity Protection - InfographicHow Intel Security Ensures Identity Protection - Infographic
How Intel Security Ensures Identity Protection - Infographic
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 

Plus de DESMOND YUEN

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdfDESMOND YUEN
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New BigDESMOND YUEN
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefDESMOND YUEN
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security ReportDESMOND YUEN
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...DESMOND YUEN
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreDESMOND YUEN
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...DESMOND YUEN
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST:  ITS IS SMART COMMUNITIES AND  CITIESPUTTING PEOPLE FIRST:  ITS IS SMART COMMUNITIES AND  CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESDESMOND YUEN
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEDESMOND YUEN
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelDESMOND YUEN
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloomDESMOND YUEN
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyDESMOND YUEN
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographicsDESMOND YUEN
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...DESMOND YUEN
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI TodayDESMOND YUEN
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksDESMOND YUEN
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...DESMOND YUEN
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."DESMOND YUEN
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...DESMOND YUEN
 

Plus de DESMOND YUEN (20)

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New Big
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product Brief
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security Report
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST:  ITS IS SMART COMMUNITIES AND  CITIESPUTTING PEOPLE FIRST:  ITS IS SMART COMMUNITIES AND  CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and Intel
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloom
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US Economy
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographics
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI Today
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery Networks
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
 

Dernier

Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 

Dernier (20)

Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 

Intel software guard extension

  • 1. FOR EXTERNAL USE – 12th September , 2017
  • 2. LegalDisclaimersandNotices No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. This document contains information on products, services and/or processes in development. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest forecast, schedule, specifications and roadmaps. The products described in this document may contain defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice. Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. © 2017 Intel Corporation 2
  • 3. 3 Modern computing requires a capability to store secrets and execute securely – a “Trusted Execution Environment” (TEE). This need is increasing with new and more advanced threats in computing. 1 2 3 SGX is the result of many years of research and builds on a foundation of knowledge of bringing multiple security technologies to market and includes solutions to a number of very interesting challenges… Intel® Software Guard Extensions (Intel® SGX) is Intel’s TEE for client and data center. It provides the foundation for many secure use cases. Trusted Execution for all developers Executivesummary
  • 4. 4 Intel®SoftwareGuardExtension(SGX)Analogy Intel® SGX is analogous to a safe in your hotel room • You can put a few things in it – wallet, watch, sensitive documents, keys, etc., … not your entire house. • If the hotel experiences a catastrophic event, like a fire, your high value items are secure. • Similar to one’s high value items, our digital life needs to be secure. • SGX existence safeguards identity, data, and browsing, making your life easier and better. • SGX utilizes a small amount of CPU memory to protect sensitive application information.
  • 5. Intel®SGXIntel SGXprovidesatrustedcomputingenclave(island)wheredataandapplicationsareprotectedindependentlyoftheoperatingsystemorhardware configurationitself.  Protects against SW attacks even if OS/drivers/ BIOS/VMM/SMM are compromised  Smallest possible Trusted Compute Block (TCB)  Secrets (data/keys/et al) remain protected even when attacker has full control of platform  Other technologies allow some privileged SW in their boundary  Prevents attacks like memory bus snooping, memory tampering, and “cold boot” attacks against memory contents in RAM  Protection for hard-to-protect or unprotected spaces  Provides hardware-based attestation capabilities to measure and verify valid code and data signatures  Increases transparency and accountability 5 Cloud Tenant & Data Provider Untrusted - CSP Environment Trusted – Intel® SGX enclave Protected Application Protected Input Data Secrets Ex. SSN, City, Credit Card Number Encrypted Data Encrypted Results
  • 6. SGX enabled solutions can provide protection for workloads running on devices Services& Practices Solutions FPGA PC Client DataCenter Vehicles Storage New Devices Comms AI & Machine Learning Ecosystem3 Developers 4 SiliconFoundation1 5 IoT 2 SGX @ Root of Trust SGX Protects App Data & Content SGX APIs & SDKs Attestation Identity, Data, Compute Enablingtrustedcomputing@thesiliconrootoftrust 6
  • 7. 7 Academic papers More than 125 (83 in 2017) academic papers written on use cases (and potential vulnerabilities) for SGX Intel Confidential New use cases are being termed as “art of possibilities”
  • 8. ®
  • 9. 9 Execution Isolation at the Application boundary1 2 3 Recovery from HW Issues Attestation and Sealing at the Application boundary KeyChallenges
  • 10. 10 Execution Isolation at the Application boundary1 2 3 Recovery from HW Issues Attestation and Sealing at the Application boundary KeyChallenges
  • 11. ReducingtheAttackSurface Hyper-focusedtrustboundary Application gains ability to defend its own secrets  Memory protection model changed for NEW protected region of memory (PRM)  New instructions added to create smallest attack surface Familiar IA Development and Debug  SDK & Integrated Dev Environment enhancements Scalable  Main core performance  All HW threads can used inside an enclave  Protected memory can be securely paged 11 Attack surface for legacy platforms Attack surface with Intel® SGX Hardware VMM OS App App App 1
  • 12. Platform 12 SGXHigh-levelHardware/SoftwarePicture EPC M EPC SGX Module SGX User Runtime Enclave New Kernel Level Instructions ECREATE EADD EEXTEND EINIT EBLOCK SGX User Runtime Enclave Hdw Data Structure Hardware Runtime Application OS Data structure Application Environment Privileged Environment New Exposed Hardware New Application Level Instructions EEXIT EGETKEY EREPORT EENTER ERESUME Page tables ETRACK EWB ELD EPA EREMOVE 1
  • 13. 13 SGXAccessControl Traditional IA Page Table Checks Enclave Access? Address in EPC? Address in EPC? Check EPCM Checks Pass ? Signal Fault No Yes No Yes No Allow Memory Access Replace Address With Abort Page Yes No Yes Linear Address Physical Address Non-Enclave Access Enclave Access 1
  • 14. Jco3lks937weu0cwejpoi9987v80we IncreasingPhysicalAttackProtection 1. Security perimeter is the CPU package boundary 2. Data and code unencrypted inside CPU package 3. Data and code outside CPU package is encrypted and integrity checked 4. External memory reads and bus snoops see only encrypted data 14 System Memory Snoop Snoop Cores CacheAMEX: 3234- 134584-26864 INTEL CONFIDENTIAL
  • 15. 15 Execution Isolation at the Application boundary1 2 3 Recovery from HW Issues Attestation and Sealing at the Application boundary KeyChallenges
  • 16. 16 CriticalFeatures:AttestationandSealing Remote Platform Client Application Enclave Authenticated Channel Intel    • App executes on local platform • HW based Attestation provides remote platform assurance that “this is the right app executing in the right platform” =>Remote platform can provision local platform with secrets • App can seal secrets to platform for future use 2
  • 17. 17 Execution Isolation at the Application boundary1 2 3 TCB Recovery Attestation and Sealing to the Application boundary KeyChallenges
  • 18. TCBRecovery TCB recovery is the process of being able to cryptographically demonstrate that the TCB has been updated to fix a potential security issue  First we issue all the HW component with a “Security Version Number”  This is used to derive a “TCB specific” key from the HW key in the part.  When a new update is issued all keys are derived from a new TCB specific key.  Note: this mechanism is cannot be modified as part of a TCB update itself. 3 Unverifiable Code Base HW Key TCB KeyPRF TCB SVN
  • 19. 19 DataMigration But what about all the data sealed to an previous TCB key?  A backwards loop is used to provide forward secrecy, but allows “previous” TCB specific keys to be retrieved  This allows the CPU to continue to “go back” by performing additional PRF’s Unverifiable Code Base Initial Key TCB KeyPRF Derivation String (usually a constant) Temp Loop (MAX-SVN) times
  • 20. 20 Execution Isolation at the Application boundary1 2 3 Recovery from HW Issues Attestation and Sealing at the Application boundary KeyChallengessoftware.intel.com/SGX The site has the latest info on: SDK & Developer Resources White Papers Support Forum
  • 21. 21