What is Intel SGX (Software Guard Extensions)?
by Brett Daniel, on Jan 25, 2021 9:00:00 AM
Table of Contents
- What is Intel Software Guard Extensions (SGX)?
- What is Intel SGX used for?
- How does Intel SGX work?
- Who uses Intel SGX?
- Which Intel CPUs use Intel SGX?
- How do I enable and disable Intel SGX?
- Should you disable Intel SGX?
- Conclusion: Trenton Servers & Workstations Support SGX
Intel cares about securing your most sensitive data. It’s one of the main reasons why we’ve been an Intel trusted partner for decades.
They offer a smorgasbord of advanced technologies that help users keep sensitive data from prying eyes and mitigate nation-state attacks. They even offer a vast product specifications library (ARK) that lets users know whether their products utilize these very technologies.
Today, we’re looking at one of Intel's CPU technologies in depth: Intel® SGX. We’ll describe what it is, what it’s used for, how it works, who uses it, which Intel CPUs support it, how to enable and disable it and whether you should consider the latter, and finally, we’ll talk about availability.
Without further ado, let’s jump right into this awesome technology.
What is Intel Software Guard Extensions (SGX)?
Intel Software Guard Extensions (SGX) is a security instruction set baked into many of Intel’s x86-based central processing units (CPUs). SGX gives developers the ability to split a computer’s memory into what are called enclaves, which are private, predefined areas in memory that can better protect users’ sensitive information.
Put a different way, SGX encrypts sections of memory using security instructions native to the CPU. It’s a form of hardware-based encryption that allows users to protect their most-sensitive data by placing it into a highly secured environment within memory.
SGX is relatively new, debuting in Intel’s sixth-generation Core processors and Xeon E3 v6 server processors five years ago.
According to a paper published by MIT’s Computer Science and Artificial Intelligence Laboratory, SGX’s original goal was to solve the problem of secure remote computation, or “the problem of executing software on a remote computer owned and maintained by an untrusted party.”
The trusted hardware establishes a secure container, and the remote computation service user uploads the desired computation and data into the secure container. The trusted hardware protects the data’s confidentiality and integrity while the computation is being performed on it.
- MIT's Intel SGX Explained
If you’re interested in learning how to utilize Intel SGX in your server or workstation, check out this thorough SGX tutorial by Daniel Ehnes, writing for Medium, to learn how to program a secure enclave.
Infographic: Intel Software Guard Extensions (SGX)
What is Intel SGX used for?
Intel SGX is a set of instructions used for boosting the security of application code and data, which gives users a greater degree of protection from disclosure or alteration of said data. Essentially, Intel SGX helps keep users’ sensitive data from being revealed or modified by creating a trusted execution environment within memory.
Such sensitive data includes information like medical records, financial records, passwords, encryption keys, biometric identification factors – any information that, if disclosed or modified, could cause harm.
SGX is used for protecting against many known and active cybersecurity threats, such as a malicious software attack, by reducing the attack surface of servers and workstations via its use of secure enclaves, which protect information from processes running at higher privilege levels.
So, if sophisticated malware, for example, attacks the OS, BIOS, VMM, or SMM layers, Intel SGX is there to offer an additional layer of protection via placement of your sensitive data within an isolated, encrypted portion of memory. So, these layers can be compromised, but your data is still protected, as the application data stored within the enclave itself is inaccessible to external, non-verified parties and is thus safe from being destroyed, manipulated, or edited by unauthorized users, i.e., hackers.
Using this new application-layer trusted execution environment, developers can enable increased identity and records privacy, more secure browsing, digital rights management (DRM), hardened endpoint protection, and many high assurance security use cases that need to store secrets more safely or protect data.
There’s a myriad of use cases for SGX, including but not limited to:
- Runtime applications, protected through execution within SGX secure enclaves
- Securing IoT edge device communication between cloud and client
- Protection of intellectual property
- Secure communications between senders and recipients
Visit Intel’s SGX webpage for a full list of use cases.
How does Intel SGX work?
Quarkslab offers a great explanation of the Intel SGX process, complete with easy-to-understand diagrams, so definitely check out their overview.
Also, Intel maintains that SGX has a low learning curve, so developers won’t have to spend a ton of time figuring out how it works and how to properly take advantage of it.
But in short, this is how Intel SGX works:
- At runtime, your application is split into two parts: a secure portion and a non-secure portion.
- When the application launches, the enclave is created, and that enclave is placed into the protected portion.
- When an enclave function is called, only the code within the enclave can see its data. External accesses are always denied. When it returns, enclave data stays in the protected memory.
The process can seem a bit abstract, especially if you’re not incredibly familiar with SGX. Thankfully, Intel does a great job of breaking it down in their Intel SGX Product Brief.
At runtime, Intel SGX instructions build and execute the enclave into a special encrypted memory region with restricted entry/exit location defined by the developer. This helps prevent data leakage. Enclave code and data inside the CPU perimeter runs in the clear, and enclave data written to memory is encrypted and its integrity checked, helping provide some assurance that no unauthorized access or memory snooping of the enclave occurs.
Who uses Intel SGX?
Anyone with SGX-capable Intel CPUs can secure selections of their most sensitive data using SGX. Military, commercial, and industrial programs and applications that rely on servers and workstations with these CPUs have access to the technology. It has widespread use across a variety of industries, because it’s baked right into the CPU and serves a purpose that’s not unique to any one industry: protecting sensitive application data from unauthorized access. Read more about an SGX use case here.
That wonderful paper published by MIT details some SGX scenarios, though. One use case listed is for medical imaging, and by reading it, you’ll see how the technology can be advantageous across multiple industries.
A cloud computing service that processes confidential medical images could take advantage of SGX by having users upload encrypted images, with the encryption keys being sent by the users to the software running within a secure enclave. This enclave, of course, contains the processing algorithm and the protected code for encrypting and decrypting the images. The code that receives the uploaded encrypted images and stores them would be left outside the enclave.
For more information on how Intel SGX is implemented, check out Intel’s SGX video series.
Which Intel CPUs use Intel SGX?
Here’s a step-by-step process to determine which Intel CPUs use Intel SGX:
- Visit Intel’s Product Specifications advanced search.
- Make sure “processors” is selected.
- In the left-hand “choose a filter” dropdown list, select “Intel Software Guard Extensions (Intel SGX).”
- In the right-hand “choose a filter” dropdown list, select the variable that applies to you.
- Browse the results to see if your CPU is listed.
To determine whether your CPU supports Intel SGX, you can:
- Visit the Product Specifications library.
- Enter your processor number in the “search specifications” search bar.
- Once you’re on the specification for your processor, click “Security and Reliability” in the table of contents to the left. The processor’s support for SGX should be listed under a heading of the same name.
Photo: You'll have to play around with some BIOS settings to enable, disable, or set automatic enablement of Intel SGX.
How do I enable and disable Intel SGX?
According to Intel, before an application can use Intel SGX, four conditions must be met:
- Your servers’ or workstations’ CPUs must support Intel SGX instructions.
- Your BIOSes must also support Intel SGX.
- Your BIOSes must have Intel SGX enabled.
- Intel’s SGX Platform Software must be installed on your servers or workstations.
Within your BIOS, assuming your BIOS supports BIOS configuration and SGX’s enable, disable, and software-controlled functions, users can enable SGX, disable SGX, or have the server or workstation automatically enable SGX upon boot, the last of which is what the software-controlled function is for. The software-controlled function is great for users who don’t want, or need, to access the BIOS each time the system boots.
Intel has a fantastic guide detailing SGX setup and verification for both Windows and Linux systems. Be sure to check it out and make use of the table of contents in the left-hand section of this guide.
If your CPUs don’t support Intel SGX, then attempting to enable SGX is futile. If the CPU does support it, however, the next step of enabling SGX is to verify that your BIOS supports SGX. You can check whether your BIOS supports SGX by navigating the BIOS manually or using Intel’s feature detection procedures.
Enabling Intel SGX is neither complex nor difficult. Courtesy of Intel, here’s how to enable Intel SGX in the BIOS in just four steps:
- During system boot, type the keystroke(s) (usually a function key) to enter BIOS.
- Navigate through the following menus: Intel Advanced Menu->CPU Configuration->SW Guard Extensions (SGX)
- The BIOS displays the options that follow. Not all system OEMs support all three options.
- Enabled – the option is set, and Intel SGX is available for use by applications.
NOTE: If enabled, Intel Advanced Menu->CPU Configuration->PRMRR must also be configured. (Some OEMs may automatically assign a PRMRR value when Intel SGX is enabled.) If the OEM supports PRMRR selection, set the value to 32MB, 64MB, or 128MB. The default option for the Intel reference BIOS is 128 MB.
- Software Controlled – your application must use the API for enabling Intel SGX in the Intel SGX feature detection procedure. This option may require a system reboot.
- Disabled – Intel SGX is explicitly disabled and cannot be enabled through software applications.
- Enabled – the option is set, and Intel SGX is available for use by applications.
- After enablement, enter the keystrokes to save and exit the BIOS.
So, to summarize, it’s important for application installers to verify whether their servers’ and workstations’ CPUs and BIOSes support Intel SGX, whether the SGX Platform Software has been installed, and finally, whether SGX has been enabled, disabled, or set to autopilot. Some applications actually require Intel SGX to run and will report a user error if Intel SGX is not detected or enabled.
Graphic: As to whether you should disable Intel SGX, the short answer is no. Even better, ask yourself, "Why would I disable SGX?"
Should you disable Intel SGX?
Generally, you shouldn’t disable Intel SGX under any circumstances.
If you plan to use Intel SGX to help secure your applications and sensitive data, disablement should be completely avoided, as disablement offers no application or data protection whatsoever. You won’t even be able to install the Intel SGX Platform Software if SGX is disabled.
To avoid unintentionally disabling Intel SGX, just set the BIOS function to software-controlled. That way, you don’t have to worry about accessing the enablement and disablement features every time your system boots. You can just boot your system knowing that Intel SGX has been automatically enabled.
Photos: Trenton Systems' rugged servers and workstations incorporate Intel Core and Xeon CPUs that support Intel SGX.
Conclusion: Trenton Servers & Workstations Support Intel SGX
Well, there you have it. We talked about:
- What Intel SGX is
- What Intel SGX is used for
- How Intel SGX works
- Who uses Intel SGX
- Which Intel CPUs use SGX
- How to enable and disable Intel SGX
- Whether you should disable Intel SGX
Here at Trenton Systems, our servers and workstations incorporate CPUs that support Intel SGX, as well as Intel PFR and Intel TME, and our amazing support team is happy to assist customers with setting up SGX in the BIOS.
And because we’re a longtime Intel solutions partner, we also have a direct line to Intel for assistance with any advanced SGX inquiries.
If you’re curious about the options available to you, our team is here to help.