Skip to main content

Intel SGX TEE

Intel SGX (Software Guard Extensions) is a hardware-based Trusted Execution Environment (TEE) that provides secure computing isolation, preventing privileged software (such as the operating system, hypervisor, and malware) from accessing or tampering with sensitive data. The following are the core concepts of SGX TEE:

Secure Enclave

An Enclave is a protected execution environment provided by SGX. It runs in user mode (Ring 3) but is strictly restricted by hardware access control.

  • Only code inside the Enclave can access its own data.
  • External entities, including the OS, hypervisor, BIOS, administrators, and attackers, cannot access or modify Enclave memory.
  • This isolation mechanism ensures that even if the underlying system (OS, hypervisor) is compromised, sensitive data remains confidential and intact.
  • Enclaves are primarily used for private key management, multi-party computation (MPC), zero-knowledge proofs (ZKP), financial transaction protection, and other high-security scenarios.

Enclave Page Cache

The EPC (Enclave Page Cache) is a dedicated physical memory area reserved for storing Enclave code and data.

  • CPU-level protection: Ordinary applications, the OS, and even hardware-level components (such as DMA access) cannot read or modify EPC memory.
  • Limited EPC physical memory (typically 128MB, with even less available for use).
  • When Enclave memory exceeds EPC capacity, SGX uses EPC Paging (memory swapping) to move Enclave data to untrusted memory.

Memory Encryption Engine

The MEE (Memory Encryption Engine) is a hardware encryption module in Intel SGX designed to encrypt EPC memory, preventing physical attacks.

  • All EPC data is encrypted using AES-GCM before being stored, making it unreadable even if an attacker extracts physical memory.
  • Integrity protection: Encrypted data includes an integrity check to prevent rollback attacks and tampering.
  • Even if an attacker gains hardware access (e.g., through JTAG debugging, cold boot attacks, or bus sniffing), they cannot compromise Enclave data.

Local and Remote Attestation

SGX provides two attestation mechanisms to verify the integrity and trustworthiness of an Enclave.

Local Attestation

  • Used for verifying different Enclaves on the same machine.
  • One Enclave generates an attestation report, which another Enclave can validate to ensure they are running unaltered code.

Remote Attestation

  • Used to allow remote servers to verify whether an Enclave is trustworthy, which is critical for cloud computing and blockchain applications.
  • Remote attestation process:
    1. The Enclave generates an attestation report (Quote).
    2. The Quoting Enclave (QE) signs the Quote.
    3. The remote server sends the Quote to Intel Attestation Service (IAS) for verification.
    4. IAS confirms whether the Enclave is intact and trustworthy.

Data Sealing

Since Enclave data is not retained after termination, SGX provides Sealing to encrypt and store data securely for future use.

  • Sealed data can only be decrypted by the same Enclave or a designated Enclave on the same platform.
  • The Seal Key is hardware-derived by the CPU, ensuring secure data encryption.