intel sgx webinar deck - final · 2 a trusted execution environment from intel for applications...
TRANSCRIPT
![Page 1: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/1.jpg)
April 18, 2017
![Page 2: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/2.jpg)
Why Use Intel® SGX?
Many applications have secrets that need to be protected.
Examples of
secrets include: Healthcare records Personally identifiable information (PII)
Passwords Encryption keys Intellectual property (IP)
Biometric factors and templates
2
![Page 3: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/3.jpg)
A Trusted Execution Environment from Intel for applications
Trusted hardware: the CPU die
Isolates a portion of physical memory to protect select code and data from view or modification
In Intel SGX, these isolated portions of memory are called “enclaves”
What Is Intel® SGX?
3
![Page 4: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/4.jpg)
1. An Intel® SGX–enabled app is built with trusted and untrusted parts.
2. Best practice: the trusted partition should contain just the minimum amount of content required to protect your secrets.
Trusted and Untrusted Partitions
Untrusted Part of App Trusted Part of App
(Enclave)
Privileged System Code, OS, VMM, BIOS, SMM, etc.
/** A PNG Image file. */Class ImageFile {Public:
ImageFile();~ImageFile();
void Clear();const char *LoadFileint GetWidth() const;
Secrets and necessary functions
4
![Page 5: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/5.jpg)
What Intel® SGX Can’t Protect You From
Buffer-overflow attacks
Side-channel attacks
Untrusted inputs into the enclave
There is no substitute for good, secure programming practices
5
![Page 6: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/6.jpg)
Intel® SGX Design Imperatives
Protect sensitive data
Do not interfere with legitimate operations
Develop trusted applications using familiar tools and processes
6
![Page 7: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/7.jpg)
What Do You Need to Develop and Run Enclaves?
A platform with an Intel® SGX–enabled CPU and BIOS
Intel SGX platform software (PSW)
The Intel SGX software-development kit (SDK)
Microsoft Visual Studio 2015 Professional* or Eclipse™
– Supports Intel SGX debugger
7
![Page 8: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/8.jpg)
What Can You Do with Enclaves?
8
Access secrets Attest services Seal secrets
2 31
![Page 9: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/9.jpg)
Demonstration
![Page 10: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/10.jpg)
Create a Console-Application Project
10
Demo
![Page 11: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/11.jpg)
Create a Console-Application Project
11
Demo
![Page 12: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/12.jpg)
Create a Console-Application Project
12
Demo
![Page 13: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/13.jpg)
Create an Enclave-Application Project
13
Demo
![Page 14: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/14.jpg)
Add an Enclave Project to the Console-Application Project
14
Demo
![Page 15: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/15.jpg)
Import an Enclave into a Console Application
15
Demo
![Page 16: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/16.jpg)
Import an Enclave into a Console Application
16
Demo
![Page 17: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/17.jpg)
Import an Enclave into a Console Application
17
Demo
![Page 18: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/18.jpg)
Import an Enclave into a Console Application
18
Demo
![Page 19: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/19.jpg)
![Page 20: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/20.jpg)
EDL stands for Enclave Definition Language.
It defines the interface between the trusted and untrusted portions of your applications.
A Brief Introduction to EDL
20
![Page 21: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/21.jpg)
1. An Intel® SGX–enabled app is built
with trusted and untrusted parts.
2. The app runs and creates an enclave,
which is placed in trusted memory.
3. A trusted function is called, code
running inside the enclave sees
the data as clear text, and external
access to the data is denied.
4. The function returns, and the enclave
data remains in trusted memory.
Trusted and Untrusted Application Code
Untrusted Part of App Trusted Part of App
(Enclave)
Privileged System Code, OS, VMM, BIOS, SMM, etc.
Create Enclave
Call Trusted Function
Execute
Return
Call Gate
21
![Page 22: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/22.jpg)
Edge Code Auto-generation
The Intel® SGX SDK auto-generates edge routines defined by EDL through use of the Edger8r* tool:
Intel SGX uses only plain C, so wrapper functions are necessary.
It auto-generates the code the first time you build a project.
It produces edge routines for accessing enclaves.
Edge routines are specified by the developer in the EDL file.
22
![Page 23: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/23.jpg)
Demonstration
![Page 24: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/24.jpg)
Add a Trusted Call to an Enclave Project
24
Demo
![Page 25: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/25.jpg)
Add a Trusted Call to an Enclave Project
25
Demo
![Page 26: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/26.jpg)
Add a Trusted Call to an Enclave Project
26
Demo
![Page 27: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/27.jpg)
Add a Trusted Call to an Enclave Project
27
Demo
![Page 28: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/28.jpg)
Implement Enclave Functions
28
Demo
![Page 29: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/29.jpg)
Implement the Enclave Application
29
Demo
![Page 30: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/30.jpg)
Implement the Enclave Application
30
Demo
![Page 31: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/31.jpg)
Implement the Enclave Application
31
Demo
![Page 32: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/32.jpg)
Implement the Enclave Application
32
Demo
![Page 33: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/33.jpg)
![Page 34: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/34.jpg)
Wrap-up
Hardware-based protection for sensitive data
SDK auto-generates many necessary wrapper functions
Build trusted apps with familiar tools
Visit the links at the end of the webinar to learn more and see other examples
34
![Page 35: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/35.jpg)
Additional Resources
Intel® SGX sample code and tutorials: https://software.intel.com/en-us/sgx/code-samples
Intel SGX forum: https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx
Intel SGX for Linux*: https://01.org/intel-software-guard-extensions
Intel SGX at the Intel® Developer Zone: https://software.intel.com/en-us/sgx
35
![Page 36: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/36.jpg)
Q&A
36
![Page 37: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/37.jpg)
![Page 38: Intel SGX Webinar Deck - Final · 2 A Trusted Execution Environment from Intel for applications Trusted hardware: the CPU die ... Add an Enclave Project to the Console-Application](https://reader030.vdocuments.mx/reader030/viewer/2022041110/5f0fe4d57e708231d44669ae/html5/thumbnails/38.jpg)
Legal Notices and Disclaimers
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com.
Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.
Intel, the Intel logo, and Intel Core are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
© 2017 Intel Corporation.
38