SGX Developer Guider
# 参考  [TEE and SGX](https://software.intel.com/en-us/articles/intel-hardware-based-security-technologies-bring-differentiation-to-biometrics-recognition) # 1.Introduction introduce how to develop sound application enclaves - Untrusted Run-Time System(uRTS)--code that execute outside of the Intel SGX ebclave environment and performs functions such as: - Loading and managing an enclave - Making calls to an enclave and receiving calls from within an enclave - Trust Run-Time System(tRTS)--code that executes within an Intel SGX enclave environment and performs functions such as: - Receiving calls into into the enclave and making calls outside of an enclave - Managing the enclave itself - Standard C/C++ libraries - Edge Routines--functions that may run outside the enclave or inside the enclave and serve to bind a call from the application with a function inside the enclave or a call from the enclave with a function in the application - 3rd party libraries--any library that has been tailored to work inside the intel SGX enclave environment Terminology(术语) | Term | Definition| |---:|---:| |ECall|a call made into an interface within the enclave| |OCall|a call made fromm within the enclave to the outside application| # 2. Enclave Programming Model the following principles to develop application enclaves correctly: - An enclave is a monolithic software entity(trust runtime system,ISV code,3rd party trusted libraries) - the untrusted domain controls the order in which the enclave interface functions are invoked - When calling into an enclave,it is the untrusted domain who selects the trusted thread context to be used within the enclave - ECall(input parameters) and OCall(return parameters) will not be what the enclave expects - the untrust function inviked during an OCall may not perform the OS by the enclave - Anyone may load an enclave # 3. Enclave File Format an enclave library file contains trusted code and data sections that will be loaded into protected memory Enclave Page Cache(EPC) when the enclave is created. In an enclave file,an Intel SGX specific data structure ,the enclave metadata,the metadata is not loaded into EPC metadata functions: - used by the untrusted loader to determine how to properly load the enclave in EPC - metadata defines a number of trusted thread contexts which includes the trust stack,a trusted heap initialized by the trusted runtime system at enclave initialization # 4. Enclave Trusted Computing Base(TCB) <center> ![TCB](https://leanote.com/api/file/getImage?fileId=5aaf7a96ab64411bf7001ce1) </center> the rest of the untrusted application cannot directly read data that resides in the protected env,or change the behavior of the code within the enclave Partitioning an application into trusted and untrusted components has addition implications from a security standpoint. It is generally accepted that a smaller memory footprint(smaller code and data) usually implies a lower chance to having defects in the final software products. 相反的观点： move the majority of application code into an enclave,in most cases this would not be desirable.**the TCB size should be a factor to consider when designing ** related with Power management : the smaller the state information stored inside the enclave,the quicker the enclave will be able to backup this information outside the enclave and to recover from a power event. # 5. Enclave Interface Functions(ECalls) ISV trusted code is executed in the following scenarios: - The untrusted application explicitly makes a call to an enclave interface function within the enclave - After a call made from within the enclave to the outside application(OCall) returns - After an interrupts returns,the enclave code is also executed An enclave must expose an API for applications to call in(ECalls) and advertise what services provided by the untrusted domain are needed(OCalls) ## 5.1 Enclave Inputs ## 5.2 Input Passed by Reference the enclave writer must handle reference or pointers with special care - the enclave software must determine whether the memory region is inside or outside the enclave linear range before dereferencing the pointer - the enclave must ensure the data cannot be modified after it is checked Developers should only pass through the enclave boundary interface pointers to objects of scope known inside the enclave **pointers to c data structures are reasonable,but pointers to c++ objects are not** # 6 Calls outside the Enclave(OCalls) - Enclave operations that require an OCall are exposed to the untrusted domain(避免旁信道攻击) - An enclave must be prepared to handle the scenario where the OCall functions is not performed at all - An enclave cannot depend on nested ECalls occurring in certain order during an OCall(OCall调用外部接口时，此接口又Ecall 不允许) - OCall暴露是input参数和返回值 尽量避免使用OCalls，可以重新分配 trust and untrust area ## 6.1 Nested ECalls(ECalls during OCalls) OCall opens the dorr for netsted ECalls # 7 Third Party Libraries If a trusted library contains any function that is exposed,the ISV must confirm that the library provider also have this interface function check its input parameters exhaustively the enclave writer could add a wrapper that performs parameter checking to the API of the third party library. # 8 Enclave Signature three main activities involved in establishing trust in software: - Measurement(测试):As an enclave is instatiated in a trust environment,an accurate and protected recording of its identity is taken - Attestation(证明):demonstrating to other entities that a particular environment was instantiated in the correct manner - Sealing(封闭):Enabling data belonging to the trusted environment to be bound to it such that it can be restored only when the trusted environment is restored Enclaves include a self-signed certificate from enclave author,also known ad **the Enclave Signature(SIGSTRUCT)** 不是随便把load程序in EPC，要验证签名，签名的话attacker也可以，为了防止这种情况，对应措施： - Enclave Measurement(CPU calculate the enclave measurement and stores this value in the MRENCLAVE register),then compare MRENCLAVE between SIGSTRUCT,only match with each other,the CPU will allow the enclave to be initialized - The Enclave Author's Public Key--after enclave is successfully initialized,the CPU records a hash of the public key in the MRSIGNER register - The Security Version Number of the Enclave(ISVSVN) - The Product ID of the Enclave(ISVPRODID) # 9 Safeguarding the ENclave Signing Key the SDK includes a tool for signing enclaves,called **sgx_sign** # 10 Maintaining the Development Platform Clean # 11 Attestation(证明) 支持两种证明方式：一种creating a basic assertion between enclaves running on the same platform,which supports local or intra-platform attestation, 另外一种：provides the foundation for attestation between an enclave and a remote third party ## 11.1 Local(Intra-Platform) Attestation developers need a mechanism that allows an enclave to prove its identity and authenticity to another party within the local platform SGX provide one technology,an enclave can ask the hardware to generate a credential,also known as report,which includes cryptographic proof that the enclave exists on the platform this report can be given to another enclave who can verify that the enclave report was generated on the same platform. 硬件的key保存在硬件平台上，enclave可以直接验证这个硬件产生的report An enclave report contains the following data: - Measurement of the code and data in the enclave - A hash of the public key in the ISV certificate presented at enclave initialization time - User data - Other security related state information - A signature block over the above data,which can be verified by the same plat form --- **Local Attestation Example** 1.Application A hosts enclave A and Application B hosts enclave B ,untrust A and untrust B have established a communication path between the two enclaves,enclave B sends its MRENCLAVE identity to enclave A 2.Enclave A ask the hardware to produce a report structure destined for enclave B using the MRENCLAVE value it received fron enclave B. Enclave A transmits its report to enclave B via the untrusted application 3.Once it has receive the report fron enclave A,enclave B asks the hardware to verify the report to affirm that enclave A is on the same platform as enclave B 4.Enclave A then verify the report to affirm that enclave B exists on the same platform as enclave A --- # 12 Remote(Inter-Platform) Attestation # 13 Distinguishing between Running Enclave Instances no direct mechanism to distinguish between two running instances of an enclave To establish trust in the underlying enclave,use the RDRAND functionality of the hardware and ensure this is submitted as part of the userdata field included in the reports exchanged between enclaves # 14 Debug(Opt-in) Enclave Considerations A debug enclave's memory is not protected by the hardware so it may be inspected and modified using the Intel SGX debugging instructions # 15 Disposal of Enclave Secrets Enclave secrets may be safely stored outside the enclave boundary after such secrets are properly sealed # 16 Sealing(封装) When an enclave is instantiated it provides(confidentiality and integrity) protection to the data by keeping it within the boundary of the enclave. 指明哪些数据或状态是机密，必须保存下来的，在下面几种状况下： - the application is done with the enclave and closes it - the application itself is closed - the platform is hibernated or shutdown this key can only be generated by that enclave on that particular platform. 用这个key来加密解密secret data # 17.Software Sealing Policies when sealing data,the enclave needs to specify the conditions which need to be met when the data is to be unsealed. ## 17.1 seal to the current enclave(enclave measurement) use the current version of the enclave measurement(MRENCLAVE) ## 17.2 seal to the Enclave Author sealing to the enclave author uses the identity of the enclave author,which the cpu stores in the MRSIGNER register at enclave initialization time, and binds this value to the key used by the seal data function # 18 Sealing and Unsealing Process ## 18.1 Sealing ① Allocate memory within the enclave for the encrypted data and the sealed data structure which includes the payload consisting of both the data to encrypt and the Additional Authentication Data(AAD) AAD include information about the application enclave,version,data and so on. ② Call the seal data API to perform the sealing operation - Verify the input parameters are valid - Instantiate and populate a key request structure used in the EGETKEY operation to obtain a seal key: - call EREPORT to obtain the ISV and TCB Security Version Numbers,which will be used in the key derivation - Key Name:Identifies the key required,which in this case is the seal key - Key Policy:Identifies the inputs required to be used in the key derivation(Use MRSIGNER to seal to the enclave's author or MRENCLAVE to seal to the current enclave) - Key ID:Call RDRAAND to obtain a random number for key wear-out protection - Attribute Mask:Bitmask indicating which attributes the seal key should be bound to. - Call EGETKEY with the key request structure from the previous step to obtain the seal key. - Call the encryption algorithm to perform the seal operation with the seal key. - Delete the seal key from memory to prevent accidental leaks ③ Save the seal data structure to external memory for future use within an enclave ## 18.2 unsealing the high level process for unsealing data within an enclave is as follows: ① Allocate memory for the decrypted data ② Call the unseal data API to perform the unsealing operation.An example unseal operation algorithm is: - Verify the input parameters are valid - Retrieve the key request structure used in conjunction with the seal data structure - Call EGETKEY with the key request structure to obtain the seal key - Call the decryption algorithm to perform the unseal operation with the seal key - Delete the seal key from memory to prevent accident leaks - Confirm that the hash tag generated by the decryption algorithm matches the tag generated during encryption #19 Distinguising between Enclave Instances Both instances will return the same key value for the enclave--this is a basic premise for keeping datat secret across power cycles it is recommended that the enclave writer assign a different identity to the enclave through the enclave signature mechanism #20 Data Migration across Platforms Before the Intel SGX technology,the hardware platform was never part of the TCB for encrypting user data. This allowed the user to easily migrate their data,even if it was encrypted,from one platform to another #21 Debug Enclave Considerations debug and non-debug mode enclave will get different seal keys. #22 Running an Enclave with Validated Features
SGX Developer Reference for Linux
comments powered by Disqus.
comments powered by
SGX Remote Attestation远程证明(通俗理解)
SGX(Software Guard eXtensions) install and develop config guide
Proudly powered by