The full name of SGX in BIOS is "Intel Software Guard Extensions", which is an extension to Intel System (IA). It aims to use hardware security as a mandatory guarantee and does not rely on the security status of firmware and software. , providing a trusted execution environment in user space, which can enhance software security.
The operating environment of this tutorial: Windows 7 system, Dell G3 computer.
SGX technical definition
SGX stands for Intel Software Guard Extensions. As the name suggests, it is an extension to Intel Architecture (IA) to enhance software security. sex.
SGX instruction set extension aims to take hardware security as a mandatory guarantee, independent of the security status of firmware and software, and provide a trusted execution environment for user space, through a new set of instruction set extensions and access The control mechanism realizes the isolated operation between different programs, ensuring the confidentiality and integrity of the user's key code and data from being destroyed by malware.
This approach does not identify and isolate all malware on the platform, but encapsulates the security operations of legitimate software in an enclave to protect it from attacks by malware, privileged or unprivileged software. None can access the enclave. That is to say, once the software and data are located in the enclave, even the operating system or VMM (Hypervisor) cannot affect the code and data in the enclave.
The security boundary of the Enclave only includes the CPU and itself. The enclave created by SGX can also be understood as a Trusted Execution Environment TEE (Trusted Execution Environment).
However, it is slightly different from ARM TrustZone (TZ). TZ is divided into two isolation environments (safe world and normal world) through the CPU, and the two communicate through SMC instructions; while SGX A CPU can run multiple security enclaves, and they can be executed concurrently.
Of course, the same effect can be achieved by implementing multiple mutually isolated security services within the TZ security world.
Creation of SGX Enclave
With the SGX technology of Intel processor, through the hardware mode switching of the CPU, the system Enter the trusted mode execution, use only the necessary hardware to form a completely isolated privileged mode, load a very small microkernel operating system to support task scheduling, complete identity authentication, and authenticate the user identity according to the authentication.
By using Intel SGX technology, the specific implementation plan to build an Enclave as a completely isolated privileged mode is as follows:
(1) Load the virtual machine image that needs to be run into the disk.
(2) Generate a secret key certificate for encrypting application code and data. SGX technology provides a more advanced secret key encryption method. The secret key is composed of the SGX version secret key, the CPU machine secret key and the Intel official distribution The user's secret key is a brand new key generated under the key generation algorithm, and this key is used to encrypt the code and data of the application that needs to be loaded.
(3) First load the code and data of the application or image that needs to be loaded into the SGX Loader to prepare for loading it into the Enclave.
(4) Dynamically apply to build an Enclave in Intel SGX trusted mode.
(5) First decrypt the programs and data that need to be loaded through the secret key certificate in the form of EPC (Enclave Page Cache).
(6) Use SGX instructions to prove that the decrypted program and data are trustworthy, load them into the Enclave, and then copy each EPC content loaded into the Enclave.
(7) Due to the use of hardware isolation, the confidentiality and integrity of the Enclave are further guaranteed, ensuring that different Enclaves will not conflict with each other and will not allow them to access each other.
(8) Start the Enclave initialization program, prohibit further loading and verification of EPC, generate the Enclave identity certificate, encrypt the certificate, and store it as the Enclave identification in the TCS (Thread Control Structure) of the Enclave for recovery and Verify their identity.
(9) SGX isolation is completed, the mirror program in the Enclave through hardware isolation begins to execute, and the construction of hardware isolation based on SGX technology is completed.
Startup and destruction of SGX Enclave
After completing the construction of the Enclave, in order to protect the information in the Enclave from being leaked after the Enclave ends or hangs. Applications in the enclave may exit under abnormal circumstances due to system interruptions, exceptions, etc. To solve such problems, SGX technology is used to set different processing methods for possible synchronous exits and asynchronous exits. When exiting synchronously, The data and code running in the Enclave will be based on the customized EEE (Enclave Exiting Events) Processed using the set processing method. In the case of asynchronous exit, the data and running status information in the Enclave will be encrypted with the key certificate and stored outside the Enclave. The interrupted Enclave can be selectively restored the next time the system is started.
SGX Create Enclave trusted communication channel
For SGX Enclave access requests, build a detection mechanism to limit, first determine whether the Enclave mode is started, and then determine whether the access request comes from within the Enclave, if so, continue to determine, if not, return access failure, and then generate the identity before the Enclave is given The credential is used to verify whether the access request originates from the same Enclave. If so, the access detection is passed. If not, the next Enclave identity credential is replaced according to the Enclave's identity credential record table for matching until all running Enclave are matched. Completed. If the match cannot be successful, access failure will be returned.
For more related knowledge, please visit the FAQ column!
The above is the detailed content of What is SGX in BIOS?. For more information, please follow other related articles on the PHP Chinese website!