Video Series: Intel® Software Guard Extensions—Part 1: Overview

Intel® Software Guard Extensions enables applications to run code and protect data inside trusted execution environments, giving developers direct control over security.

Hi. I'm John Mechalas with Intel. In this video, we're going to introduce you to Intel® Software Guard Extensions, or Intel® SGX. It enables applications to execute code and protect secrets inside their own trusted execution environment, giving developers direct control over their application security.

Intel SGX is designed to protect an application's secrets from malicious software. It prevents software attacks even when the application, the operating system, and the BIOS are compromised. Your application secrets will remain protected even when the attacker has full control over the platform.

What is a secret? It's anything that is not meant to be known or seen by others. Some examples of secrets include medical records, personally identifiable information, biometric factors, passwords, encryption keys, and intellectual property. Secrets of this nature must be secured in order to protect the privacy, financial interests, and even the safety of both individuals and businesses.

Intel SGX protects these secrets by creating isolated memory regions of code and data called enclaves. These nonaddressable memory pages are reserved from the system's physical RAM and then encrypted. Enclaves are protected memory regions where an application can work on its secrets without fear of exposing them.

And Intel SGX application is built with two parts, the trusted part and the untrusted part. When the application needs to work with the secret, it creates an enclave, which is placed in trusted memory.

It then calls the trusted function, a function created by the software developer for working inside the enclave. Once the function is called, the application is running in the trusted space and sees the enclave code and data as clear text.

All other attempts to access the enclave memory from outside the enclave are denied by the processor, even those made by privileged users. This prevents secrets in the enclave from being exposed.

When the trusted function returns, the enclave data remains in trusted memory. The application is back to running in the untrusted space, where it no longer has access to the trusted memory.

The videos in this series will show you the fundamentals of writing enclave applications so that you can start taking advantage of Intel SGX. Be sure to watch the playlist to learn more about Intel SGX application development. And remember to like this video and subscribe.