SGX

是一种 TEE 的实现。SGX 不同于之前的 TEE 实现,比如 ARM 的 TrustZone。SGX 每个 APP 都可以有自己独立的 TEE,甚至可以创建多个 TEE;而 TrustZone 是整个系统只有一个 TEE。因此 SGX 也省去了向设备厂商申请将 TA (可信应用)装入 TEE 的过程。由于 SGX 的先进性,目前云端机密计算领域甚至已公认用 Enclave 这个词来指代 TEE。

巨头争相布局的“机密计算”,究竟机密在哪? - 知乎

Enclave

允许用户态及内核态代码定义将特定内存区域,设置为私有区域,此区域也被称作飞地(Enclaves)。其内容受到保护,不能被本身以外的任何进程存取,包括以更高权限级别运行的进程。

威胁模型:Enclaves 是可信的,但 Enclaves 之外的任何进程都不可信(包括操作系统本身和任何虚拟化管理程序)。

Quoting Enclave

A quoting enclave is an enclave that produces quotes, or remote attestations, on behalf of enclaves running on the same machine.

SGX remote attestation

When an application receives an attestation request from an off-platform challenger

  • The application requests that its enclave produce an attestation.
  • A two-part process follows involving the application sending a local attestation from its enclave to a Quoting Enclave (QE).
  • The Quoting Enclave verifies the local-attestation and converts it into a remote attestation (a Quote) by signing the it using its asymmetric attestation key. The Quote is returned to the application and then to the challenger.
  • Finally, the Challenger can use an Attestation Verification Service to perform Quote verification.

Only a attestation is converted to a Quote can it be attested off-platform.

Ref: Supporting Third Party Attestation for Intel® SGX with Intel® Data Center Attestation Primitives

MKTME

Motivation:

MKTME allows page-granular encryption of memory.

Can be used under virtualization environment, each VM can has its own key.

History:

AMD’s Secure Memory Encryption (SME) encrypted memory with a single key stored in hardware in order to protect data against physical attacks (third-party gaining unauthorized data to stolen laptops). Meanwhile, AMD’s Secure Encrypted Virtualization (SEV) offered a single encryption key per virtual machine, thus protecting a virtual machine's contents against malicious hypervisors - a feature that should be welcome in most data centers.

At the time, Intel already had its Software Guard eXtensions (SGX) feature in both enterprise and consumer chips, which acted as a “secure enclave” within a memory section for small amounts of data such as encryption keys. However, SGX can’t encrypt a whole VM or the whole memory.

Following AMD’s release of SME and SEV, Intel has also been working on Total Memory Encryption (TME) and more recently on MKTME, both of which promise to encrypt system memory at rest, at runtime, and in transit.

Intel Follows AMD's Lead on Full Memory Encryption | Tom's Hardware

Mechanism:

Total Memory Encryption (TME) – the capability to encrypt the entirety of physical memory of a system. This capability is typically enabled in the very early stages of the boot process with a small change to BIOS and once configured and locked, will encrypt all the data on external memory buses of an SoC. The encryption key used for TME uses a hardware random number generator implemented in the Intel SoC, and the keys are not accessible by software or using external interfaces to the Intel SoC.

The AES XTS encryption engine is in the direct data path to external memory buses and therefore, all the memory data entering and/or leaving the SoC on memory buses is encrypted using AES XTS. The data inside the SoC (in caches, etc.) remains plain text.

The KeyID is included in the PTE as upper bits of the physical address field.

MKTME requires TME and therefore cannot be enabled without enabling TME.

IA32_TME_CAPABILITY [35:32] (MK_TME_MAX_KEYID_BITS), Number of bits which can be

allocated for usage as key identifiers. 4 bits allow for a max value of 15, which can address 32K keys.

When MKTME is activated, the upper bits of the physical address (starting with the highest order bit available as enumerated by the CPUID MAX_PA info) are repurposed for usage as a KeyID as shown below.

The MKTME engine maintains an internal key table not accessible by software to store the information (key and encryption mode) associated with each KeyID. Each KeyID may be associated with three encryption modes.

As mentioned earlier in the document, the KeyID is an integral part of the physical address, meaning it is not only present in page tables but is also present in the TLB, caches, etc.

Difference between SGX and MKTME

SGX and MKTME are both security technologies designed to protect sensitive data, but they have different use cases and approaches to achieving their goals. SGX provides secure execution environments for applications and services running on a system, while MKTME provides memory encryption for virtual machines to protect against certain types of attacks. (From ChatGPT)