Software guard extensions (SGX) allow an application to instantiate within memory a protected container, referred to as an enclave. An enclave is an area in the address space of an application that provides confidentiality and integrity even in presence of software of higher privilege, even if such software is malicious. The protection is achieved by restricting non-enclave accesses to code/data resident in the enclave, and by enforcing execution integrity for the enclave. An enclave has an identity, which comprises, for example, a hash of the code resident in the enclave, hash of a key with which the enclave was signed, a product version number and product category assigned by the software vendor, a hardware configuration of the enclave, etc. Within SGX, there are hardware-based mechanisms to attest to the identity of an enclave. There are also mechanisms to derive, using software and hardware, keys tied to a portion of the identity of the enclave. However, at present, there is no provision for enclave software to record the identity of its own configuration, or to seal secrets based on such recorded values. This disclosure describes mechanisms that allow enclave software to record and seal its configuration identity.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Savagaonkar, Uday, "Memory enclaves with software configuration information", Technical Disclosure Commons, (January 30, 2017)