Intel SGX
Reference
Interactions
Reference: Overview of Intel SGX, part2
ECALL: Enclave Call. Application invokes a pre-defined function inside the enclave.
- can pass input parameters and pointers to shared memory within the application.
OCALL: Outside Call. Enclave invokes a pre-defined function in the application.
- An OCALL cannot share enclave memory with the application;
- It must copy the parameters into the application memory before the OCALL;
AEX: Asynchronous Exit. Exit an enclave because of an interruption or an exception.
- Transfer control from the enclave to the application from arbitrary points inside the enclave.
Architectural Enclaves
References: Communication between Architectural and Application Enclaves
Architectural Enclaves:
- Launch Enclave (LE)
- Receives request from other enclaves wishing to launch on the platform;
- Examines requesting enclave’s signature and identity, to verify whether the requesting enclave is valid or not;
- Generates the
EINITTOKEN from its private Launch Key;
- Assigns
EINITTOKEN to the requesting enclaves;
- Provisioning Enclave (PvE)
- Retrieves the Attestation Key from Intel Provisioning Service;
- Has to use the certificate provided by Provisioning Certificate Enclave below;
- Provisioning Certificate Enclave (PcE)
- Is responsible for signing the processor certificate;
- Signs the certificate using its private Provisioning Key;
- Quoting Enclave (QE)
- Is responsible for providing trust in the enclave identity and its execution environment during remote attestation process;
- Uses the Attestation Key offered by Provisioning Enclave;
- Turns a REPORT (locally verifiable) into a QUOTE (remotely verifiable)
- Platform Service Enclaves (PSE)
- Are responsible for offering other enclaves various trusted services using Management Engine;
- Monotonic counters;
- Truste time;