Home

SGX

Intel Software Guard Extensions (SGX) is a set of processor features that enable the creation of enclaves—protected regions of execution in memory. Enclaves are designed to protect code and data from a potentially compromised system, including the operating system and hypervisor. SGX provides confidentiality and integrity for the contents of an enclave, even when the surrounding software stack is untrusted.

Enclave memory is managed under a protected area called the enclave page cache (EPC). Data and instructions

SGX includes mechanisms for attestation and sealing. Attestation allows an enclave to prove to a remote party

Development and deployment of SGX-enabled applications are supported by dedicated SDKs and toolchains, with adoption in

inside
an
enclave
are
visible
only
to
the
code
running
within
that
enclave.
Access
to
enclaves
occurs
through
specific
instructions,
such
as
ECALL
and
EENTER
to
enter
an
enclave
and
EEXIT
to
leave
it,
with
the
processor
enforcing
strict
isolation
to
prevent
leakage
or
tampering
by
non-enclave
code.
that
it
is
genuine
and
running
on
a
particular
platform,
using
local
or
remote
attestation,
historically
supported
by
mechanisms
such
as
EPID
or
DCAP.
Sealing
provides
a
means
to
persistently
store
secrets
by
deriving
cryptographic
keys
from
the
enclave
identity
and
the
platform
state,
enabling
encrypted
data
to
be
recovered
only
by
authorized
enclaves
on
trusted
platforms.
various
cloud
and
on-premises
environments.
While
SGX
can
protect
sensitive
computations,
it
has
limitations,
including
finite
enclave
memory
resources,
potential
performance
overheads,
and
exposure
to
certain
side-channel
attacks.
Designing
secure
SGX
applications
requires
careful
handling
of
code,
data,
and
interaction
with
untrusted
software.