Konubinix' opinionated web of thoughts

How Does Sgx Protects My Data?


In the MEE

When some data needs to be written in the PRM,

  1. the MEE first (preemptively) checks that the data on DRAM is still conform,
  2. the MEE computes a MAC (a Carter-Wegman style [1]),
    1. the MAC uses a two dimensional nonce to avoid replay attack.
  3. it stores the MAC in an integrity tree whose root is in the SRAM (on-die, hence considered secure),
  4. it stores the data, encrypted, on the DRAM

When some data needs to be read

  1. the MEE checks the associated MAC in the integrity tree,
  2. it decrypts the data and put it in the associated registers.

In the Processor

The processor

  • initializes the program memory and keeps a hash of the memory (called a measurement) to prove what it is,
  • deactivate initialization,
  • use two steps contexts switches to avoid leaking data in the registers,
  • it loads the memory of the enclave into a PRM, so that the MEE can overload the memory control mechanism to allow data encryption.

Data eviction

The data can be temporary put outside of the EPC, for it is encrypted.

Notes linking here



WEGMAN, M.N., CARTER, L., New hash functions and their use in authentication and set equality., J. comput. syst. sci. 22 3 (1981) 265.