Intel® Software Guard Extensions (Intel® SGX) has had to break ground in many areas. One of these was how to protect memory outside of the processor package. At a couple of recent workshops we have presented on the subject so that people could understand the basic concepts behind how we provide Confidentiality and Integrity over the Enclave Page Cache region of memory used in Intel SGX. Intel has now produced a whitepaper to accompany those slides, here's its abstract
Abstract: Cryptographic protection of memory is an essential ingredient for any technology that allows a closed computing system to run software in a trustworthy manner and handle secrets, while its external memory is susceptible to eavesdropping and tampering. An example for such a technology is the emerging Intel Software Guard Extensions technology (Intel SGX) that appears in the latest processor generation, Intel® Architecture codename Skylake. This technology operates under the assumption that the security perimeter includes only the internals of the CPU package, and in particular, leaves the DRAM untrusted. It is supported by an autonomous hardware unit called the Memory Encryption Engine (MEE), whose role is to protect the confidentiality, integrity, and freshness of the CPU-DRAM traffic over some memory range. To succeed in adding this unit to the micro architecture of a general purpose processor product, it must be designed under very strict engineering constraints. This requires a careful combination of cryptographic primitives operating over a customized integrity tree that mostly resides on the DRAM while relying only on a small internally stored root. The purpose of this paper is to explain how this hardware component of Intel SGX works, and the rationale behind some of its design choices. To this end, we formalize the MEE threat model and security objectives, describe the MEE design, cryptographic properties, security margins, and report some concrete performance results.
The whitepaper can be found here.