Video Series: Intel® Software Guard Extensions—Part 3: Application Design
Although each enclave is unique, all Intel® Software Guard Extensions applications share the same structure. Learn about common design principles that apply to all of them.
Hi, I'm John Mechalas with Intel. In this video we're going to discuss application design for Intel® Software Guard Extensions, or Intel® SGX. Well, each enclave is unique. All Intel SGX applications share the same basic structure. This means there are some common design principles that apply to all of them. Intel SGX applications are built with two parts: the trusted part and the untrusted part.
The trusted part of your application consists of its enclaves. An application can have only one enclave or it can have several. The enclaves reside in encrypted memory and are protected by Intel SGX. Enclaves are considered trusted because they cannot be modified after they have been built. If an enclave is modified by a malicious user or software, it will be detected by the CPU and the enclave won't load.
The untrusted part of your application is simply the rest of the application. Any application or memory region not protected by Intel SGX is considered untrusted. Designing an Intel SGX application requires that you partition your code. You need to identify which code belongs in the enclave, which code belongs outside of it, and how the trusted and untrusted parts interact. Here are the key steps in partitioning your code:
Step one, identify your secrets. Secrets are anything that are not meant to be known outside the application where they are being used. These are the pieces of data you want to protect from exposure.
Step two, identify providers and consumers of secrets. You want to map out the flow of your secrets between application components. Where are your secrets coming from and where will they be going?
Step three, identify the enclave boundary. When drawing the boundary, your goal is to encompass as many secrets as possible and minimize the number of secrets that must cross it. However, you should not encompass more of the application than is strictly necessary. Large enclaves are more difficult to debug, have a larger attack surface, and consume more resources than small ones.
Step four, tailor your code for the enclave. When writing your enclave and its interfaces, keep two important points in mind:
- The first is that there is a fixed amount of memory available to all running enclaves on a system. Enclaves should be kept as small as possible, and should be destroyed when their secrets are no longer needed.
- The second is that calls into and out of the enclave incur a performance penalty, much like a CPU context switch. It is more efficient to make one call that does a lot of work in the enclave than it is to make several smaller calls.
These steps outlined the fundamental strategy for designing an Intel SGX application. Be sure to watch the rest of this playlist to learn more about Intel SGX application development, and remember to like this video, and subscribe.