How Does Sgx Protects My Data?fleeting
In the MEE
When some data needs to be written in the PRM,
- the MEE first (preemptively) checks that the data on DRAM is still conform,
- the MEE computes a MAC (a Carter-Wegman style ),
- it stores the MAC in an integrity tree whose root is in the SRAM (on-die, hence considered secure),
- it stores the data, encrypted, on the DRAM
When some data needs to be read
- the MEE checks the associated MAC in the integrity tree,
- it decrypts the data and put it in the associated registers.
In the Processor
- initializes the program memory and keeps a hash of the memory (called a measurement) to prove what it is,
- deactivate initialization,
- use two steps contexts switches to avoid leaking data in the registers,
- it loads the memory of the enclave into a PRM, so that the MEE can overload the memory control mechanism to allow data encryption.
The data can be temporary put outside of the EPC, for it is encrypted.
Notes linking here
WEGMAN, M.N., CARTER, L., New hash functions and their use in authentication and set equality., J. comput. syst. sci. 22 3 (1981) 265.